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General 


Preface 


About This Manual 


This manual describes the functions and operations of the Ethernet 
monitor, a software component of the Distributed Sniffer System™. It 
also gives recommendations on how to use the monitor effectively to 
detect network problems. 


The Distributed Sniffer System consists of two types of products: 
Sniffer® servers and SniffMaster™ consoles. Each server observes the 
local or wide-area network to which it is attached; the console controls 
the servers and displays the results of the servers’ activities. Some 
servers run the monitoring or analysis application alone, while others 
run both. 


Manuals for the Distributed Sniffer System 


Two types of manuals accompany the Distributed Sniffer System. The 
primary manuals, which include this manual, describe the system’s 
normal operations; the supplementary manuals describe the 
programs that configure and test the system’s various hardware and 
software components for troubleshooting. The actual manuals in your 
shipment depend on the system configuration. 


Figure i describes the primary manuals. 


For Information On... 


Installing and configuring the server. | Distributed Sniffer System: 
Installation and Operations 
Manual or Distributed 
Sniffer System: Server 
Installation Manual. 


Distributed Sniffer System: 
Installation and Operations 
Manual. 


Installing and configuring the console. 
Controlling servers from the console. 


Starting and terminating the 
applications on the server. 


Operating the server's analysis 
functions on an Ethernet, token ring, or 
wide area network. 


Distributed Sniffer System: 
Analyzer Operations 
Manual. 


Figure t. Primary manuals for the Distributed Sniffer System (continued). 
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For Information On... | —s«éRead.w 


Operating the server’s monitor Distributed Sniffer System: 
functions on an Ethernet network. Ethernet Monitor Operations 
Manual (this manual). 


Using the monitor features effectively 
to detect network abnormalities. 


Operating the server’s monitor 


Distributed Sniffer System: 
functions on a token ring network. 


Token Ring Monitor 
Operations Manual. 


Using the monitor features effectively 
to detect network abnormalities. 


Various network and protocol types. | Distributed Sniffer System: 
Network and Protocol 


Reference. 


Figure i. Primary manuals for the Distributed Sniffer System. 


Figure ii describes the supplementary manuals. 


For Information On... 


Running the adapter diagnostics to test | Token-Ring Network Guide 
the IBM 16/4 token ring adapter in the | to Operations. 
console. 


Running the diagnostics to test the NI5210 Installation Manual. 
InterLan NI5210 Ethernet controller in 
the console. 


Configuring and using the IBM® Local | Local Area Network Support 
Area Network (LAN) Support Program Version 1.2 User’s 
Program. Guide. 


Figure ti. Supplementary manuals for the Distributed Sniffer System. 


If the product shipment includes release notes or README files on 
disks, the information in the notes or files supersedes the information 
in this manual. 


Audience of This Manual 


The manual has been prepared with the following assumptions: 


* You are an Ethernet network manager or troubleshooter who 
understands how an Ethernet network operates. 


* You are familiar with DOS. 


* You have properly started the SniffMaster console. 
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Preface 


Organization of This Manual 


Figure iii describes the organization of this manual. 


Chapter 1, “Product 
Overview” 


Chapter 2, “Getting 
Started” 


Provides an overview of the monitor and 
describes its capabilities. 


Describes the preparation required 
before you start a monitoring session. It 
also discusses the menu structure. 


Chapter 3, “Displaying | Describes how to display various types 


Statistics” 


Chapter 4, “Managing 
the Station Data Files” 


Chapter 5, “Working 
with Alarms” 


Chapter 6, “Creating 
Reports” 


of statistics gathered in the current 
monitoring session. 


Describes how to specify information 
about stations on the network, which 
affects the way the monitor observes the 
network and generates alarms. 


Describes different types of alarms. 


Describes the report scripts and gives 
procedures for generating, printing, and 
saving reports. 


Chapter 7, “Establishing | Provides recommendations on how to 


a Baseline for Your 
Network” 


use the monitor features to become 
familiar with normal network traffic 
patterns. 


Chapter 8, “The Monitor | Describes the files on the server that you 


Data Files” 


might need to modify or view when 
using the monitor. 


Chapter 9, “The Monitor | Explains in detail all the menu items and 


Menu Items” 


the terms used in the monitor’s screen 
displays. 


Figure iit. Scope of each chapter or appendix in this manual (continued). 
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Appendix A, “Error and | Lists all warning and error messages and 
Warning Messages” describes recommended actions. 
Appendix B, “Report Lists and describes the report fields that 
Fields” you can insert in a report script. 
Appendix C, “Ethertype | Lists the hexadecimal values of various 
Values” Ethertypes. 


Figure tit. Scope of each chapter or appendix in this manual. 


Navigational Aids Used in This Manual 


To help you find procedures easily, a separate list of procedures is 
provided in this manual in addition to the Table of Contents and List 
of Figures. Also, the “Recommendation” entries in the Index point 
you to suggestions for getting the most from your Ethernet monitor. 


This manual uses icons in the margin to help you locate important 
information as explained below: 


The paragraph next to this icon contains information that is especially 
important; you should be certain to read it carefully before you 
proceed. 


A warning gives you instructions that you must follow to avoid 
possible damage to data files, program files, or hardware devices. 


A cautionary paragraph provides information that you need to avoid 
injury to yourself or others. 


A recommendation describes a useful and valuable way of using the 
product. 


eee 


Cy 
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NOY, 


A procedure is a series of steps for accomplishing a particular task. 


s 
oy 


Conventions Used in This Manual 


Special Notations 
The following describes the conventions used in this manual: 
Bold Menu options are in bold type. For example: 


Move to Display and press Enter. 


. 


Preface 


Terminology 


UPPERCASE The filenames and command names you type at a DOS 
prompt are in uppercase. For example: 


Modify the AUTOEXEC.BAT file if necessary. To 
duplicate the file, use the COPY command. 


Bolditalics Variables, for which you insert values, are in bold 
italics. For example: 


Type the number of minutes and seconds in the mmss 
format. 


Screen font Screen messages are printed in monospaced font. For 
example: 


If a monitoring session is in progress, the following 
message appears: 


You must stop monitoring before you can use this feature. 


Hexadecimal numbers mentioned in the manual are followed by 
“(hex)”; numbers without any notations are decimal. For example, 
“The maximum number of stations is 75. The default memory address 
is D8000 (hex).” 


The terms “SniffMaster console” and “Sniffer server” refer to the 
hardware units of the Distributed Sniffer System. The term 
“application” refers to a software component (that is, the monitoring 
or analysis program) running on the Sniffer server. 


This manual sometimes uses the abbreviated names for the various 
components of the Distributed Sniffer System. The terms “server” and 
“console” mean the Sniffer server and SniffMaster console, 
respectively. The term “monitor” stands for the Ethernet monitoring 
application, and the term “analyzer” stands for the Ethernet analysis 
application. 


Screen Displays and Keyboard Input 


All the keystrokes mentioned in the manual are entered from the 
SniffMaster console. Similarly, all the screen displays generated by 
the monitor appear on the console’s screen. 


The screen displays in this manual may not be exactly the same as 
what you see on your console screen. For example, you can choose to 
have the console show the server name on each monitor display, but 
the screens in this manual do not show the name. 
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Other Sources of Information 


On-Line Help 


Tutorial 


Technical Support 


Network General Corporation (NGC) provides other sources of 
information that can help you get familiar with the Distributed Sniffer 
System. 


After highlighting an item in a console, analyzer, or monitor menu, 
you can see a phrase or sentence in a panel near the bottom of the 
screen. It explains the meaning of the highlighted item. 


If you want to obtain general information ona particular feature of the 
Distributed Sniffer System, press F1 at any time. A window 
containing a list of topics opens. If you are displaying a monitor 
statistics screen, pressing F1 gives you information on the current 
screen. 


NGC distributes a booklet with accompanying diskette entitled Real 
Networks. Real Problems. It presents case studies based on data 
captured with a Sniffer network analyzer from four different 
networks. The Sniffer analyzer and the server's analysis application 
have different capabilities, but the case studies allow you to see how 
investigation of a network problem proceeds. 


You can obtain the tutorial free of charge from any of the company’s 
sales representatives or directly from NGC. 


If you have problems with the Distributed Sniffer System, refer to 
Appendix A, “Troubleshooting Guide,” in the Distributed Sniffer 
System: Installation and Operations Manual for the procedure for 
contacting NGC’s technical support. 
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Chapter 1. Product Overview 


Chapter Overview 


The Ethernet monitor is a network monitoring program that runs on 
an Ethernet Sniffer server. This chapter describes the monitor's 
features and requirements. 


What the Monitor Can Do 


The monitor provides an accurate picture of network activity at any 
moment or a historical record of network activity over a period of 
time. This information helps you find traffic overloads, plan for 
network expansion, detect intruders, establish performance baselines, 
and distribute traffic more efficiently between servers and subnets. 


The monitor’s report capabilities let you communicate this 
information to others, complete with graphs and tables. The alarm 
capabilities alert you to problems with the network or with individual 
stations before users call you to complain. 


The following list summarizes the capabilities of the monitor: 
* Monitors up to 1,024 network stations 


* Generates alarms for the entire network and for individual 
stations 


* Compiles a historical alarm log 


* Provides real-time traffic and historical information for 
individual stations as well as for the entire network 


* Sorts statistics to show only those items that interest you 
* Creates customized management reports. 


The monitor only monitors frames on the Ethernet network segment 
to which the Sniffer server’s Monitor Card is attached. It does not 
count frames on remote networks that are connected to the local 
segment by bridges or routers. 


The monitor rounds up small percentages to 0.01%. Keep this in mind 
when you interpret percentages in statistical views or reports. 
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System Requirements 


The monitor can be used on an Ethernet or IEEE 802.3-compatible 
network. 


Each Ethernet server is loaded with either the TCP/IP or IPX protocol 
stack. The NetWare® and NetBIOS features described in this manual 
apply only to a server with IPX. 
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CHAPTER TWO: GETTING STARTED ? 


General 


Chapter 2. Getting Started 


Chapter Overview 


You can modify the option settings presented in the monitor’s Main 
Menu to specify how the monitor operates. For example, you can 
determine: 


* How the monitor observes the network 
* How the monitor collects statistics 
* How the monitor presents statistics. 


The monitor is shipped with default option settings that you can use 
to start a monitoring session. However, it may become necessary to 
customize these settings to suit the needs of your network. Familiarize 
yourself with these options so that you can interpret and use the 
statistics efficiently. 


This chapter describes the following: 


* Performing the minimum amount of configuration for a 
monitoring session. More information on how to further 
customize the monitor is given in the chapters that follow. 


* Interacting with the monitor. 


* Running the monitor in the background. 


Outline of the Getting-Started Procedure 


The following list outlines the steps for getting started with the 
monitor: 


1. Start the monitor application. 


2. Specify whether the monitor gathers information about all 
stations or a particular station. 


3. Specify the station for which history statistics are to be 
collected. 


4. Start a monitoring session. 


The following sections describe these tasks in detail. 
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Starting the Monitor 


Refer to the Distributed Sniffer System: Installation and Operations 
Manual for information on starting the monitor. 


When you start the monitor, the following happens: 


* The Sniffer server loads the monitor driver into memory, 
which is a memory-resident program for monitoring the 
network. 


* The Sniffer server loads the monitor application program into 
memory, which displays the monitor’s Main Menu. From this 
menu, you can start a monitoring session, configure option 
settings, and use other features of the monitor. Figure 2-1 
illustrates the monitor’s Main Menu on a server running both 
the network analyzer and monitor. On a server that runs only 
the monitor, the first item in the center panel is Cable tester. 


lobal statistics ¢ 

Network Single station 4 
General Station test All stations d 
Monitor filters Frame sizes 4 


History Ethertype protocold 
Ethernet Sniffer Alarm log d 
Network Monitor arn Global history 4 
Report Station history /# 
Version 1.30 Manage stations 
Exit #| Class 


(C) Copyright 
1988 - 1991 Network usage 


Display traffic statistics. 


Use the arrow keys to move, or ENTER to do this function 


il 10 | New 
Help monitor 


Figure 2-1. Main Menu. 


Interacting with the Monitor 


This section describes the notations used in the monitor menus, and 
how you select options and values. For specific tasks (for example, 
displaying statistics for a particular station), refer to the chapters that 
follow. (If your Sniffer server is equipped with the analyzer, notice 
that the monitor’s menu structure and user interface are consistent 
with those of the analyzer.) 
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Interacting with the Monitor 


The Menu Structure 


All functions of the monitor are accessible through the Main Menu, 
which is shown in Figure 2-1. When the Main Menu first appears, the 
Display option is highlighted. Options associated with the Display 
option are listed in the panel to its right. This organization is 
consistent throughout the monitor’s menu structure: options 
associated with any highlighted item in the center panel always 
appear to the right. 


In this manual, a list of options displayed in a panel is called a menu; 
the name of the menu is the highlighted option in the center panel. For 
example, in Figure 2-1, the highlighted option is Display, and the 
right panel is the Display menu. 


A back slash is used in this manual to specify the location of an option 
if more than one level of menu is involved. For example, to refer to the 
Numeric option associated with the Global statistics option in the 
Display menu, the manual uses this notation: the Numeric option in 
the Display \Global statistics menu. 


Moving Through the Menus 


You can move through the menu structure both vertically and 
horizontally. A highlight shows your current location. Move through 
the menus by: 


* Pressing the cursor keys: 


For example, when Display is highlighted, pressing Cursor Up 
deselects Display and highlights History. 


* Pressing the Page Up, Page Down, Home, and End keys: 


For example, if your current selection is Display, pressing Page 
Up or Home selects the first command, Station test (on a server 
with both the analyzer and monitor) or Cable tester (on a 
server with the monitor only). Pressing Page Down or End 
selects the last option in the list, Exit. 


* Typing the first letter of the command’s name: 


If two or more options start with the same letter, the monitor 
selects the one that immediately follows the current command. 
For example, if the command currently highlighted is Display, 
pressing M selects Manage stations; but if Station test is the 
current selection, pressing M selects Monitor filters. 


2-8 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


Options in the Main Menu 


In the Main Menu, a carriage return symbol (#) appears to the right 
of Display and Exit. The symbol indicates that you can press Enter to 
trigger an action when the option is selected. That is, if Display is 
highlighted, pressing Enter displays one type of statistic; if Exit is 
highlighted, pressing Enter leaves the Main Menu. 


Other commands in the center panel are not followed by carriage 
return symbols. They are for displaying options and specifying 
values. For example, when History is highlighted, pressing Enter 
does not trigger any action. Highlighting History displays the History 
menu, which shows the current settings that determine how the 
monitor accumulates history statistics. If necessary, use the cursor 
keys to move to the desired setting and modify the value. 


Choosing Menu Options and Defining Values 


After selecting an option that triggers an action, you can press Enter 
to execute it. If you select a menu item that does not generate an 
action, move to one of its options. 


Regardless of the type of option selected, if you highlight an option 
followed by a carriage return symbol and press Enter, one of the 
following happens: 


¢ An action is triggered. For example, if you move to Clear in the 
Report menu, the monitor removes the report script from 
memory. 


* A list of values or a dialog box appears. The value you specify 
in the list or dialog box affects how a future action works. For 
example, if you move to Stn in the History menu, a list of 
station addresses appears for you to select the desired station 
for which history statistics are to be gathered. Refer to the 
section, “Choosing Among Values,” for further information on 
how to assign a value to an option. 


The monitor “remembers” the values you assign even after you exit 
the program or turn off the server. The next time you start the 
monitor, the same settings appear on the menu. However, if the server 
is powered off or rebooted remotely from the console while the 
monitor is running, it loses the new values that you assigned in the 
last session. 


Choosing Among Menu Options 


A list containing mutually exclusive options is identified by a vertical 
bar beside it. To select an item, move to it and press the Spacebar. If 
an item is selected, an arrowhead is moved next to it. For example, if 
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Interacting with the Monitor 


Alarm log is selected, the symbol “|>” appears to its left, as shown in 
Figure 2-2. 


Global statistics # 
Single station 4 
All stations 4 
Frame sizes d 
Ethertype protocol 


Station test 
Monitor filters 
History 

Display dq 
Alarm 

Report 

Manage stations 
Exit 


Station history #4 


d Class 


Network usage 


Display, acknowledge, and clear alarns. 


Press space to select this optio——————$—$—$——| 


18 New 
monitor 


Figure 2-2. Alarm log option in the Display menu. 


Not all options are included ina list. For example, the Class option in 
the Display menu appears by itself. Selecting Class displays another 
menu, which lists mutually exclusive values (To, From, and Both) 
that determine the type of traffic to be displayed. To select the desired 
value, move to the value and press the Spacebar. 


Choosing Among Values 


For some options, you can assign values, and the assigned value is 
displayed after an equal sign. For example, one of the options in the 
Alarm menu is displayed as Auto clear = 01:00. It means that the value 
1 hour has been assigned to the Auto clear option. 


To assign a value, move to the option and press Enter. Then one of the 
following happens: 


* A dialog box appears, prompting you to type a value. 
Type a value within the permissible range and press Enter. 


* A list of values appears. Move to the desired value and press 
Enter. 


If you do not want to enter or select a value after the dialog box is 
opened, press Esc to close the box and return to the menu. 
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Figure 2-3 is an example showing a station list from which you choose 
a station. 


TATION LIST: 
Alex Zwick 
Anthony Serrao 
Barbara Lemmon 
Barney Ingram 
Bill Goodman 
David Brooks 
Denise Martin 
¢ Stn = File Server ¢! Ed Hicks 
All stations 
Frame sizes d Numeric red Biddle 
Ethertype protocold Graphic George Stanley 
Alarm log d Helene Milici 
Global history #4 Jack Clayton 
Station history # James Wylie 
orel Jill Franz 
Select a station for display. Ken Quinn 
Linus Stanwick 
————=se the arrow keys to move, or ENTER to do this f]| Mark Ellison 
Michael Harley 
Miles Russell 
Press ESC to exit: 


Figure 2-3. Station list. 


Toggling Values 


Some options can be toggled; that is, you can either select or deselect 
them. For example, if you select the All stations option in the Display 
menu, the option Active stns only, preceded by a V mark, appears in 
the right panel. This option determines the type of station to be 
included in the display, and the V mark indicates that it has been 
selected. 


To select an option, move to highlight it and then press the Spacebar. 
A V mark precedes a selected option. Pressing the Spacebar again 
deselects an item, displaying an x mark next to it. 


If you press Alt and the Spacebar simultaneously, the V and x marks 
are reversed for all items in the same menu. 


Figure 2-4 shows the configuration of the All stations option in the 
Display menu. 


Interacting with the Monitor 


Global statistics ¢ x Partner's name 
Single station / Frames 

All stations d Y Errors 

Frame sizes d raphic Y Bytes 

Ethertype protocol! Y Average size 
Alarm log #] = Sort by Y Network usage 
Global history #4 x First activity 
Station history #] ¥ Active stns only x Last activity 

x Elapsed activity 


ore 
Display station activity in a tabular format. 


10 New 
monitor] 


Figure 2-4. Configuration of the All stations option. 


Using the Function Keys 


When the monitor displays a menu or statistical display, you can use 
the function keys to manipulate the display or perform various 
monitor functions. 


From menus, you can use the following function keys: 


* FI (Help) displays the main Help menu. For further 
information on the Help menu, refer to the section, “Using On- 
Line Help” on page 2-10. 


* 3 (Display) displays the statistics according to the options 
associated with Display. This key is applicable only after you 
start a monitoring session. 


* F10 (New monitor/Stop monitor) starts or stops a monitoring 
session. This key toggles between the two functions. 


From views, you can use the following function keys to navigate 
between menus and options. Other function keys might be available, 
depending on the view being displayed. Those keys are described in 
the chapters corresponding to the views. 


* F5 (Menus) returns you to the Main Menu. 


* 6 (Display options/Return) lets you display and edit options 
without returning to the Main Menu. This key toggles with 
“Return,” which returns you to the view. 
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In addition to using the function keys, you can press Esc to go back to 
the previous screen. 


Using On-Line Help 


The monitor provides an on-line help facility that displays 
information about the following topics: 


* Moving around the menu tree 
* Selecting menu items 
* Using the function keys 


* Testing the network cable (if your server does not run the 
analyzer) 


* Running protocol-specific station tests 
* Monitoring network traffic 

* Setting monitor filters 

* Specifying history information 

* Displaying statistics 

* Working with alarms 

* Using the report editor 

* Managing station information. 


LON To use on-line help: 
WY 
1. Press F1 (Help) to display the Help menu or relevant submenu. 
If you press F1 when one of the monitor views is displayed, a 


description of that view appears. 


2. InaHelp menu, move to the topic for which you want 
additional information and press Enter. 


To scroll through explanatory text, press Cursor Up or Cursor 
Down. 


3. Press Esc to return to the Help menu. Press Esc again to return 
to the screen display before you used on-line help. 
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Preparing for a Monitoring Session 


Preparing for a Monitoring Session 


Before starting a monitoring session from the Main Menu, decide on 
the following: 


* Which stations you wish to monitor (all stations or a single 
station) 


* Station for which you wish to collect history statistics. 


— Monitoring only one station means that you restrict monitoring to the 
frames from or to a particular station. Remember that the statistics the 
monitor compiles are based on these frames only. For example, if you 
choose to monitor Station A and it has not been sending or receiving 
frames, the monitor shows no global statistics even though other 
stations are active during this monitoring session. The monitor has 
already filtered out traffic from or to other stations. 


If you restrict monitoring to a single station, familiarize yourself with 
how the monitor generates alarms by reading the section 
“Interpreting Alarms When Using Monitor Filters” on page 5-7. 


Specifying Which Stations to Monitor 


Monitoring all stations gives you the option of displaying statistics for 
any or all stations. If you have not started a monitoring session before, 
it is recommended that you monitor all stations. 


Ne To specify which stations to monitor: 


LY 1. You can specify the stations only when the monitor is not 
monitoring. Make sure that the key label for F10 is “New 
monitor.” The key label “Stop monitor” indicates that a 


monitoring session is in progress. To stop a session, press F10. 
Move to Monitor filters in the Main Menu. 


2. To monitor all stations, move to the All stations option and 
press the Spacebar. 


To monitor a particular station, move to the Stn option and 
press Enter to display the station list. Move to the station to be 
monitored, and press Enter. The monitor observes only the 
frames to or from the specified station. 


The station list contains the same station names that are in the 
STARTUP.END file in the ENSNIFF directory, which is also 
used by the analyzer. Refer to “The Station List” on page 2-13 
for further information on how the monitor adds station 
addresses to the list as it monitors the network. 


The new setting takes effect in the next monitoring session. 
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Specifying History Options 


History statistics provide an overview of when the network was busy, 
at what time of the day stations generated errors, and so on. You can 
configure the monitor to collect history statistics for a specified 
address. 


Be sure that the station for which the statistics are collected is also a 
station that the monitor monitors. Suppose it monitors the traffic to 
and from ServerA only and you specify that history statistics be 
collected for ServerB. The monitor displays no station history 
statistics for ServerB. 


To select the station for which the monitor will collect history 
statistics: 

1. Move to the Stn option in the History menu. 

2. Press Enter to display the station list. 


3. Move to the station that you want to collect history statistics for 
and press Enter. 


Starting a Monitoring Session 


The monitor is ready to monitor the network after you configured it 
according to the instructions in the previous sections. 


To start a monitoring session: 
Press F10 (New monitor). The monitor displays this message: 
Resetting the network card. 


It takes several seconds for the monitor to enter the network. After a 
monitoring session starts, the key label on the screen for F10 changes 
to “Stop monitor.” 


You can examine the statistics gathered in a monitoring session in 
various ways. For example, you can display statistics, generate 
statistical reports, view the alarm log, and so on. The chapters that 
follow describe these tasks in detail. 


The monitor can automatically restart a monitoring session every time 
it prints a report. This is controlled by the Restart monitor option in 
the Report \Auto print menu. Refer to “Printing a Report 
Automatically” on page 6-16 for more information on restarting a 
monitoring session. 


Starting a Monitoring Session 


The Station List 


When you first run the monitor, the station list contains the station 
names in STARTUP.END, a station data file that is also used by the 
analyzer if the analyzer software is available on the server. The station 
list remains in memory until you terminate the monitor. If you want 
to monitor or collect statistics for a particular station, choose the 
station from this station list. 


Once the monitor starts a monitoring session, it can detect unnamed 
stations on the network. If you set Monitor filters to All stations, it 
detects any station that transmits frames on the network during the 
monitoring session. If the Stn option is selected instead of All 
stations, and Stn is set to an address, the monitor detects only stations 
sending frames to or receiving frames from the specified address. In 
either case, the monitor adds the detected station to the station list. 


For further information on naming stations and STARTUP.END, refer 
to Chapter 4, “Managing the Station Data Files.” The Distributed 
Sniffer System: Analyzer Operations Manual also describes the station 
data file. 


If a station for which you want to collect statistics does not appear on 
the list after monitoring the network for a while, check to make sure 
that the station is powered on and sending frames. If the station’s 
address still does not appear in the station list, this may indicate a 
connectivity problem between the station and the network. 


Figure 2-5 illustrates how the monitor uses the station list. 
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Adding unnamed addresses 
detected on the network 
during a monitoring session. 
Unnamed addresses remain 
in memory until the driver is 

Loading to Saving terminated. 

memory when addresses to the 

you run the disk after they _ 

monitor have been named 


IOMION 


STARTUP.END 


Sniffer Server 


Figure 2-5. The monitor loads and modifies the station list. 


Naming Stations 


You are not required to name all stations on the network before 
starting a monitoring session. However, it is recommended that you 
name the stations for these reasons: 


* When the monitor detects a station on the network that has not 
been assigned a name, the monitor may generate an unknown 
station alarm. (The unknown station alarm is disabled by 
default; so this happens only if you have enabled it. For more 
information on controlling alarms, refer to Chapter 5, 
“Working with Alarms.”) This alarm alerts you to intruders or 
to possible problems with network bridges or malfunctioning 
network interface cards. It is useful only if all the legitimate 
stations have been named. 


* The unnamed station addresses are lost when you remove the 
monitor driver from memory or start a new monitoring 
session. 


* The monitor loads the station names into the station list in 
memory when you start the monitoring application and adds 
unnamed stations to the list once it starts monitoring. 
However, if more than 1,024 stations exist on the network, the 


a 


Stopping a Monitoring Session 


monitor stops adding unnamed stations to the list. Any station 
not in the station list cannot be monitored. 


For further information on naming stations, refer to Chapter 4, 
“Managing the Station Data Files.” 


Stopping a Monitoring Session 


When you stop a monitoring session, the driver stops monitoring, but 
remains in RAM. 


RE To stop a monitoring session: 
wy 
1. Press F10 (Stop monitor). The following message appears: 


The Sniffer Network Monitor will stop monitoring if you proceed. Press 
ENTER to proceed. Press ESC to cancel. 


Press Enter. The following things happen: 
* The label of F10 on the screen changes to “New monitor.” 


* Ifyou display a statistics view, the clock in the upper right 
corner shows “ENDED,” followed by the time at which you 
pressed F10. 


* The statistics gathered during the monitoring session that 
you just terminated are still available for display. They are 
lost, however, once you start another monitoring session. 
To save the statistics, generate reports according to the 
instructions in Chapter 6, “Creating Reports.” 


Monitoring in the Background 


You can run the monitor in the background, without displaying the 
Main Menu or any statistical view. This allows you to transfer files 
between the Sniffer server and the SniffMaster console while you are 
monitoring the network. 


However, monitoring in the background has these limitations: 


You cannot display statistics. 


When you stop the monitoring session, the monitor loses the 
statistics collected. 


You cannot save history statistics and reports to the disk. 


When the monitor generates an alarm, it does not send the 
alarm to the console. (For more information on alarms, refer to 
Chapter 5, “Working with Alarms.”) 
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To monitor the network in the background: 


1. Start the monitor and initiate a monitoring session as you 
normally would, following the instructions provided earlier in 
this chapter. 


2. Move to Exit on the monitor’s Main Menu and press Enter. 


The server's Main Selection Menu appears. The driver in the 
server’s memory continues to monitor network traffic, but you 
can now perform other tasks on the server. For example, you 
can transfer a particular report from the server to the console. 


You might want to bring the monitor back to the foreground after a 
period of background monitoring, for example, to display statistics or 
alarms. 


To bring the monitor to the foreground: 


1. At the DOS prompt, type MENU and press Enter. The server’s 
Main Selection Menu appears. 


2. Select Ethernet Monitor and press Enter. The Monitor Services 
Menu appears. 


3. Select Run the User Interface and press Enter. The monitor's 
Initialization screen appears. 


4. Press any key to display the monitor’s Main Menu. The key 
label for F10 on the screen is “Stop monitor,” which indicates 
that the monitoring session is in progress. 

To stop a background monitoring session: 
1. Bring the monitor to the foreground. 
2. On the monitor’s Main Menu, press F10 (Stop monitor). 


Alternatively, you can stop a background monitoring session and 
remove the driver at the same time. This procedure is described in the 
section, “Removing the Driver from Memory.” 


Removing the Driver from Memory 


The monitor's driver program is loaded into the server’s memory 
when you start the monitor. If both the monitor and analyzer are 
installed on the server, you must first remove the driver from memory 
before starting the analysis function. 
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JD To remove the driver from memory: 
KOA 1. Display the server’s Main Selection Menu. 


2. Select Ethernet Monitor and press Enter. The Monitor Services 
Menu appears. 


3. Select Shutdown the Background Processes and press Enter. 
The following messages appear: 


The monitor process is about to be shut down. 


If you do not want to shut down the monitor at this 
time, answer 'n' at the prompt and hit the enter key. 


Do you wish to shut down the monitor? [y/n] 
4. Type Y and press Enter. These messages appear: 


Shutting down the monitor... 
ENMONDRV removed from memory 


The Main Selection Menu is displayed. 


— Removing the driver from memory terminates the monitoring session 

and erases from memory all statistics that the monitor has gathered. 
To save the statistics, you can print out a report or save a report to 
disk. For further information on report writing, refer to Chapter 6, 
“Creating Reports.” 
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General 


Chapter 3. Displaying Statistics 


Chapter Overview 


This chapter describes how to display the statistics the monitor 
gathers during a monitoring session. You can choose what you see 
and how you see it. 


The following are examples of what you can display: 
* Traffic statistics for the entire network (global statistics) 
* Traffic statistics for a single station 
* Traffic statistics for every station on the network. 
The monitor sorts all these statistics according to your specifications. 


This chapter describes the general display options and discusses the 
display for each type of statistic. For various types of information in 
each view, refer to Chapter 9, “The Monitor Menu Items.” 


Display Options 


A number of options are available for customizing statistical views. 
This section describes only the ones that apply to more than one type 
of statistic. More specific options (for example, the Active stns only 
option, which applies only to All stations) are discussed in the 
sections for various types of statistics. 


The following is a list of general options that determine a statistical 
view’s contents and format: 


* Type of statistic to display (for example, Global statistics or 
Alarm log). 


* Format of the display (that is, whether statistics are displayed 
numerically or graphically). This applies to some types of 
statistics only. 


* Class of traffic (that is, traffic to or from the station, or both). 
* Network usage (that is, relative or absolute). 


After you start monitoring, pressing F3 (Display) displays the 
statistics according to the options you specified. 
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Numeric vs. Graphic Display 


You can configure the monitor to provide either a numeric or graphic 
display for the following types of statistics: 


* Global statistics 
* Single station 

* All stations 

* Global history 

* Station history. 


The numeric display consists of columns of numbers; the graphic 
display presents values in a histogram for a visual summary of 
network usage. 


For each graphic view, you can scale the usage axis using these 
methods: 


* Pressing F7 or Cursor Up scales up the axis, which makes the 
bars in the graph longer to show a greater level of detail. 


* Pressing F8 or Cursor Down scales down the axis, which makes 
the bars in the graph shorter. 


If a bar is longer than the axis, the monitor displays a triangle at the 
upper end of the bar. 


Class Option: To, From, or Both 
The Class option applies to the following types of statistics: 
* Single station (for the graphic display only) 
* All stations 
* Station history. 


For each station, the Class option determines whether statistics are 
displayed for received frames (To), transmitted frames (From), or 
both (Both). 


Network Usage Option: Absolute vs. Relative 
The Network usage option applies to the following types of statistics: 
* Single station 
* All stations 


* Station history. 
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Freezing the Screen Display 


The Network usage option can be set to one of the following: 


Absolute Statistics are measured as a portion of the total 
network capacity, which remains constant. For 
example, if all stations together use 10% of the total 
capacity, absolute usage is 10%. 


Relative Statistics are measured as a portion of the total traffic. 
For example, if one station accounts for all the traffic 
on the network, its relative usage is 100%; if four 
stations generate traffic in equal amounts, relative 
usage for each is 25%. 


It is possible that a station accounts for a high percentage of relative 
network usage but a low percentage of absolute network usage. For 
example, if there are only two active stations on the network, which 
generate about the same amount of traffic, their relative usage is 
approximately 50% each. But if these stations rarely generate traffic, 
their absolute network usage can be as low as 1%. In this case, about 
99% of the network capacity is unused. 


All network usage percentages in global statistics views represent 
absolute usage. The Relative option does not take effect when you 
display global statistics. 


The value of network usage is rounded up to 0.01% even if it is less 
than 0.01%. For example, the absolute network usage is 0.01% for a 
station that received and transmitted a total of two frames, although 
these frames did not use as much as 0.01% of the network capacity. 


2 If you choose the Both option in the Display \Class menu, the relative 
network usage percentage can add up to 200% because the monitor 
counts each frame twice: once for the source address and once for the 
destination address. 


Freezing the Screen Display 


When a statistical view is displayed during a monitoring session, 
pressing F9 (Freeze display) temporarily stops updates to the screen 
to make it easier to study specific statistics. The clock in the upper- 
right corner is stopped as well. In the background, however, the 
server continues collecting statistics, logging alarms, and generating 
reports (if these functions have been enabled). To redisplay the 
current statistics, press F9 again. 
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Scrolling the Screen Display 


If there are more stations than a screen can contain in a view, use F3 
(Prev station) or F4 (Next station) to view the previous or next station. 
In a numeric view, Cursor Up and Cursor Down perform the same 
function as F3 and F4, respectively. 


Displaying Global Statistics 


To look at the first screen of information, press Home; to look at the 
last screen, press End. 


The Global Statistics view displays traffic statistics for the entire 
network as they are updated, either in numeric or graphic format. 


Figure 3-1 is an example of the numeric Global Statistics view. The 
numeric view presents three categories of statistics: 


Traffic counts 


Error counts 


Timestamps 


Counts on the left show the amount of 
cumulative activity since the beginning of the 
monitoring session. Counts on the right show 
activity during the last second. 


The Error Counts column shows the numbers of 
frame errors and lost frames. For further 
information on error counts, refer to Chapter 9, 
“The Monitor Menu Items.” 


If the total number of frame errors is high, check 
to see which station causes an unusually high 
number of errors. You can display station 
statistics with the All stations option in the 
Display menu as described in “Displaying Sorted 
Statistics for All Stations” on page 3-11. If you 
consider the number of lost frames excessive, 
contact NGC’s technical support for help. 


The timestamps include the time when 
monitoring started and the time when the first 
and last network activities took place. The 
monitor also shows the duration of a monitoring 
session. 
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LOBAL STAT IST] CS--@-@ Mar 21 11:16:45, 


Traffic Counts 


Total Stations 26 Active Stations g 
Average Usage G.01 % Current Usage 6.20 % 
Total Frames 3,332 Current Frames g 
Total Bytes 1,825, 406 Current Bytes g 
Avg Frame Size 307 Avg Frame Size g 


Error Counts Timestamps 


Monitor Started Mar 28 17:43:59 
Monitor Active § day(s) 17:32:46 


Runt Frames 
Alignment Errors 
CRC Errors 

Total Frame Errors 


OBRMHws 


First Activity Mar 26 17:44:14 
Last Activity Mar 21 11:16:38 
Network Active @ day(s) 17:32:27 


p__ oDisply SFreeze—il Stop 
Menus fifoption: displayfimonitor 


Unsaved Frames 
Missed Frames 
Total Lost Frames 


Raw 


Figure 3-1. Global statistics (numeric view). 


Figure 3—2 is an example of the Global Statistics view in graphic 
format. As in the numeric view, the top portion of the graphic view 
shows traffic counts, both cumulative and for the last second. The 
bottom portion shows absolute network usage plotted as a graph and 
updated at one-second intervals. 


LOBAL STATIST]CS@_——A- Oct. 82 17:06:52 
Traffic Counts 


Total Stations 26 Active Stations 
Average Usage 9.07 % Current Usage 
Total Frames 22, 087 Current Frames 
Total Bytes 5,828, 297 Current Bytes 
Avg Frame Size 262 Avg Frame Size 


40 32 
Seconds 


D 6Displug/ Scale™i8 Scale—9Freeze™ii0 Stop 
Menus foptions™ up down fidisplaufimonitor| 


Figure 3-2. Global statistics (graphic view). 
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KX To display global statistics: 
KOZ 1. Move to the Global statistics option in the Display menu and 
press the Spacebar. 


2. Move tothe Numeric or Graphic option in the Display \ Global 
statistics menu and press the Spacebar. 


3. Press F3 (Display) to display the statistics. 


Displaying Station Statistics 


The Single Station view displays traffic statistics to and from specific 
stations as they are updated, either in numeric or graphic format. 


In the numeric view, there are three columns: 


* The top-left column identifies the station to which these 
statistics apply, as well as the station’s two most recent 
partners. 


* The top-right column shows combined transmission and 
reception activity. The current usage percentage represents the 
usage during the past second; other statistics are cumulative 
since the beginning of the monitoring session. 


* The lower-left portion shows transmission activity, and the 
lower-right portion shows reception activity. These portions 
show the same types of statistics. 


Figure 3-3 displays traffic to and from a single station. 


Displaying Station Statistics 


ABSOLUTE TRAFFIC STATISTICS-SINGLE STATION--—————————ct. @2 17:22:57. 

Traffic TO and FROM Station 

Station: File Server Current Usage 

Average Usage 

Total Frames 

Last sent to: Alex Zwick Total Errors 
Last rcv from: Ken Quinn Total Bytes 35,697,892 
Avg Frame Size 274 


Traffic FROM Station Traffic TO Station 


Current Usage 1.90 % Current Usage 
1.50 % 


3.28 % 
Average Usage Average Usage 5.02 % 
Total Frames 64, 425 Total Frames 65,622 
Total Errors 24 Total Errors Q 
Total Bytes 8,250,712 Total Bytes 27, 447, 188 
Avg Frame Size 128 Avg Frame Size 418 
Start Time Oct @2 17:04:45 Start Time Oct @2 17:04:45 
End Time Oct. 82 17:22:57 End Time Oct 02 17:22:57 
Elapsed G day(s) 0:18:12 Elapsed B day(s) 08:18:12 


ky _Disply 9Freezegil@ Stop 
Menus foption displaufimonitor| 


Figure 3-3. Traffic statistics for a single station (numeric view). 


Transmission statistics are based on frames sent from the specified 
station; reception statistics are based on frames sent to the specified 
station. To illustrate this distinction, display the station statistics for 
the broadcast address. Since the broadcast address is only used as a 
destination address, you only see traffic in the “Traffic TO Station” 
category. 


In the graphic view, the top portion displays either receptions, 
transmissions, or both, depending on whether you selected To, From, 
or Both with the Class option. The bottom portion shows either 
absolute or relative network usage plotted as a graph and updated at 
one-second intervals. The bars in the graph also indicate the class of 
statistics. For example, ona color monitor, the yellow portion of the 
bar represents receptions, and the blue portion represents 
transmissions. Figure 3-4 shows a graphic view of statistics for a 
single station. 
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ABSOLUTE TRAFFIC STATISTICS-SINGLE STATIONN-————————Octt. 82 17:31:24 
Traffic TO and FROM Station 

Station: File Server Current Usage 27.61 % 

Average Usage 6.58 % 
Total Frames 195 , 386 
Last sent to: Jill Franz Total Errors 8 
Last rcv from: Barney Ingram Total Bytes 52,647,364 
Avg Frame Size 269 


D BB oDisplugi/ ScaleG8 Scale§{9rreezefii® Stop 
Menus foptions™ up down fidisplayfimonitor 


Figure 3-4. Traffic statistics for a single station (graphic view). 


KY To display station statistics: 


1. Move to the Single station option in the Display menu and 
press the Spacebar. 


2. Move to the Stn option in the Display \Single station menu and 
press Enter to display the station list. Move to the station for 
which you want to display statistics and press Enter. 


3. Define how statistics are displayed. 


a. Move to the Numeric or Graphic option and press the 
Spacebar. 


b. To display the Class and Network usage options, press 
Cursor Left to move back to the Display menu. 


c. Press Page Down to move to Network usage. Then move to 
Absolute or Relative in the Display \ Network usage menu, 
depending on whether you want to show statistics as a 
portion of total network capacity or current traffic. Press the 
Spacebar to select the option. 


d. If you select the Graphic option, you can also define the 
Class options. Move to To, From, or Both in the 
Display \Class menu, depending on whether you want to 
display statistics for receptions, transmissions, or both. 
Press the Spacebar. 


4. Press F3 (Display) to display the statistics. 


3-10 


Displaying Sorted Statistics for All Stations 


Displaying Sorted Statistics for All Stations 


Sorting Statistics 


The statistical view for all stations contains various types of statistics 
for each station. You can customize the display by specifying the 
following on the Main Menu: 


* How the statistics are sorted 


* Whether the statistics are displayed in ascending or 
descending order 


* What statistics are displayed in the view 
* Whether the display is in numeric or graphic format. 


Figure 3-5 shows a numeric example of sorted statistics that include 
the station, the number of frames, errors, bytes, average frame size, 
and the percentage of absolute network usage. These statistics are 
sorted in descending order by the number of bytes. 


ABSOLUTE TRAFFIC STATISTICS TO AND FROM STATIONS-———————Oct. 82 17:42:17. 
Station Frames Errs Bytes Size xUsage 

File Server 276, 009 73,432,466 266 
Print Server 191,194 45,529,139 
Denise Martin 19,582 18,611,113 

Mark Ellison 19,801 15,513,678 

Ed Hicks 19,389 15, 813, 438 

Linus Stanwick 19, 206 14, 282,561 
Steven Anderson 19,264 9, 882,593 
William Griffith 19,582 6, 804, 908 

Tom Brown 19,623 6,011,525 
Michael Harley 19,829 4,914,731 

Miles Russell 19,575 2,748, 389 
Barbara Lemmon 19,565 2,707,797 

Bill Goodman 19,619 2,529 , 836 
Barney Ingram 28,025 2,220,957 

Ken Quinn 19,201 2,228, 098 

Alex Zwick 19,715 1,982,862 
Helene Milici 19,558 1,947,276 
George Stanley 19,991 1,796,588 

Jill Franz 28, 066 1,725, 080 
Robert Hayes 19,695 1,441,699 


20 i 
1 3 Prevgld Next#i 6Disply SFreeze™iO Stop 
Help stationfistationf Menus option idisplayfimonitor| 


Figure 3-5. Traffic statistics for all stations (numeric view). 
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The monitor can sort statistics in a variety of ways. This is useful for 
comparing stations or for finding stations that match certain criteria. 
The following is a list of sort keys for both numeric and graphic 
displays: 


Name Name of the station. If a station is not named, the 
address is used. 


General 
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Partner’s name Last station that communicated with the station. 


Frames Total number of frames transmitted or received, 


or both transmitted and received during a 
monitoring session. 


Errors Total number of frames with errors transmitted 
or received, or both transmitted and received. 

Bytes Total number of bytes transmitted, received, or 
both. 

Average size Average size of frames transmitted, received, or 
both. 

Network usage Percentage of network usage. 

First activity Time when the first frame was sent or received. 

Last activity Time when the most recent frame was sent or 
received. 


Elapsed activity Time between the first and last activity. 


Types of Statistics Included in the View 


You can limit the displayed statistics to particular stations, whether 
you select the numeric or graphic format. To specify that the view 
includes only stations that have sent or received frames since the 
monitoring session started, select the Active stns only option in the 
Display \ All stations menu. 


If you 


select the numeric format, you can also select the types of 


statistics to be included in the display. The following list contains the 
statistic types. Because the items in the list are the same as the sort 
keys, refer to the section “Sorting Statistics” for their meanings. 


Partner's name 
Frames 

Errors 

Bytes 

Average size 
Network usage 
First activity 
Last activity 


Elapsed activity. 


= If you select more types of statistics than can fit in the statistical view, 
use Cursor Left or Cursor Right to scroll hidden portions of the screen 


Displaying Sorted Statistics for All Stations 


into view. Pressing Control and a cursor key moves you to the far 
right or left of any screen. 


Numeric vs. Graphic Display 


The numeric display includes various types of statistics according to 
your specification. Refer to “Types of Statistics Included in the View” 
on page 3-12 for more information. 


The graphic display shows the network usage of up to 10 stations at a 
time. The percentages are represented both graphically and 
numerically. To see more than the 10 stations, press Cursor Right or 
Cursor Left. 


The graphic display also indicates the class of traffic from which the 
statistics are derived. Specify the value of the Class option (To, From, 
or Both) in the Display \Class menu. 


Figure 3-6, for example, shows the stations with the highest amount 
of relative network usage for both transmissions and receptions. The 
statistics below the graph are derived from the transmission and 
reception counts, while the graph shows all three classes (To, From, 
and Both) for each of the listed stations. 


RELATIVE TRAFFIC STATISTICS TO AND FROM STATIONS————————Octt. 82 18:02:35, 


16 pAAAAAA—AdA—A AAA A A—Ak— A AA— AMAA 


sk 2 3 4 5 6 7 8 9 19 
Legend: To FROM BOTH 


1 File Server 61,155% 6 Linus Stanwick 12.18 % 
2 Print Server 38.60 % 7 Steven Anderson 8.52 % 
3 Denise Martin 14.95 % 8 William Griffith 5.65 % 
4 Mark Ellison 12.95 % 9 Tom Brown 5.07 % 
5 Ed Hicks 12.48 % 18 Michael Harley 4.16 % 


Figure 3-6. Traffic statistics for all stations (graphic view). 
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Procedure for Displaying Statistics for All Stations 
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To display and sort selected statistics: 


1. 


Move to All stations in the Display menu and press the 
Spacebar. 


Follow these steps to define the type of traffic and network 
usage: 


a. Press C to move to the Class option. 


b. Move to To, From, or Both in the Display \Class menu. 
Press the Spacebar to select one of the options. 


c. Move to the Display \Network usage menu; press the 
Spacebar to select either Absolute or Relative. 


To specify the format of the display, move to the Numeric or 
Graphic option in the Display \ All stations menu and press the 
Spacebar. 


If you select Numeric, a list appears in the right panel, which 

allows you to select the types of statistics to be included in the 
view. Move to any options in the list and press the Spacebar to 
select the options. 


To specify how the statistics are sorted, move to Sort by in the 
Display \ All stations menu. Two lists of options appear to its 
right. 


a. Move to the Ascending or Descending option in the first 
list and press the Spacebar. 


b. Move to the sort key displayed in the second list and press 
the Spacebar. 


For example, if you select Frames, the monitor sorts all 
stations by the number of frames and displays them from 
highest to lowest or vice versa, depending on whether you 
chose the Descending or Ascending option. 


To specify the types of stations to be included in the view, 
move to the Display \ All stations menu. 


If you want the view to include only the stations that have sent 
or received traffic, select Active stns only. 


Press F3 (Display) to display the sorted statistics you specified. 
If there are too many options to fit on the screen in the numeric 
view, use Cursor Right or Cursor Left to scroll them into view. 


To display stations either higher or lower in the sort order, 
press F3 (Prev station) or F4 (Next station). 


Displaying Frame Sizes 


Displaying Frame Sizes 


This view shows how many frames fall into each of the predefined 
size categories and what percentage of frames each size category 
comprises. The graph illustrates these numbers for a visual summary. 
This information is useful for determining how to configure your 
network’s data buffers. Figure 3-7 is an example of the Frame Sizes 
view. 


FRAME S1ZES—————H ct. 82 18:08:58 


Size Frames Percent 9 20 40 60 4) 120 


Under 68 6 2.28 
152 3.6 |= 


111 2.63 |= 
1390 31288 


64 ) [, 
4) 


41625-1514 6.80 
Over 1514 0.20 


D 6Disply 9Freeze—i@ Stop 
Menus fioption displaygimonitor} 


Figure 3-7. Frame sizes view. 


KO To display frame sizes: 


1. Move to Frame sizes in the Display menu and press the 
Spacebar. 


2. Press F3 (Display) to display the frame size distribution. 


Displaying Ethertype Protocol 


This view shows the amount of network traffic per low-level protocol. 
You can display the number and percentage of either bytes or frames. 
The network protocols are defined in the STARTUP.ENT file. Ifa 
frame’s Ethertype is not listed in this file, it is counted under the 
category “Other.” For further information on STARTUP.ENT, refer to 
Chapter 8, “The Monitor Data Files”; for further information on 
Ethertypes, refer to Distributed Sniffer System: Network and Protocol 
Reference. 


18 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


Notice that the default STARTUP.ENT file does not include the 
Ethertype value for NetWare. This is because a NetWare frame 
normally does not contain the Ethertype field. Such a frame is counted 
in the 802.3 category. However, if the N ovell® stations on your 
network do generate frames that use the Ethertype field, the frames 
are counted in the appropriate Ethertype categories. In this case, you 
might want to add the Ethertype value for NetWare (8137) to 
STARTUP.ENT. 


Figure 3-8 is an example of the Protocol Types (Ethertypes) view that 
shows the distribution of bytes by protocol type. 


PROTOCOL TYPES (ETHERTYPES )}_————————Oct. 83 15: 28:22 
Ethertype Bytes %Total % 28 4g 60 88 162 


i) 

128 , 383,628 
12,728 

g 


2,757,687 ,94 
579,41 


i) 
g 
g 
g 
g 
g 
g 
5 
2 


Ry 6Disply 9Freeze—ii® Stop 
Menus fifoption displaysmonitor 


Figure 3-8. Protocol Types (Ethertypes) view. 


If you want breakdowns for protocol types other than those shown, 

use the DOS command, EDLIN, to add protocols to STARTUP.ENT. 
The file contains up to 32 entries; the maximum number of Ethertype 
labels is 16. 


PPS To display the protocol type distribution: 


1. Move to Ethertype protocol in the Display menu and press the 
Spacebar. 


2. Move to the Bytes or Frames option and press the Spacebar. 


3. Press F3 (Display) to display the Protocol Types (Ethertypes) 
view. 


Displaying the Alarm Log 


Displaying the Alarm Log 


The Alarm Log view shows the alarms in the server's alarm buffer. 
Figure 3-9 is an example of the Alarm Log view. 


Warning 
Minor 
Major 
Critical 
Warning 
Warning 
Warning 
Critical 


Warning 
Minor 
Warning 
Major 
Major 
Minor 
Warning 


i 
Help 


15:58:15 
15:58:17 
15:51:04 
15:51:45 
16:22:18 
16:89:19 
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Mark Ellison 
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Figure 3-9. Alarm Log view. 


el usage exceeded 
Rel usage exceeded 12% 
Rel usage exceeded 5% 
No response 1 second 
No response 1 second 
No response 1 second 
No response 1 second 
No response 1 second 
No response 1 second 
Rel usage exceeded 5% 
Rel usage exceeded 5% 
Rel usage exceeded 5% 
Rel usage exceeded 4% 
Rel usage exceeded 5% 
No response 1 second 
No response 1 second 
No response 1 second 


When the Alarm Log view is displayed, you can do the following: 


Use Cursor Up or Cursor Down to highlight any alarm. Then 
acknowledge the highlighted alarm by pressing F3 (Ack 
alarm), which puts a V mark in the right column. 


Clear the alarm by pressing F4 (Clear alarm), which deletes it 
from the alarm buffer. (For a complete discussion of alarms and 
the alarm buffer, see Chapter 5, “Working with Alarms.”) 


To display the alarm log: 


bib 


Move to Alarm log in the Display menu and press the 
Spacebar. 


Press F3 (Display). The Alarm Log view appears. 


3-17 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


Displaying Global History Statistics 


The statistics in this view show the amount of network activity and 
number of frames with errors during each history interval. (You can 
specify the length of the history interval; refer to the section “History” 
on page 9-4 for further information on setting the History option.) 
The monitor can collect history statistics for up to 1,750 intervals. 
History statistics are particularly useful for troubleshooting and 
network maintenance tasks, such as determining periods of low 
activity to schedule downtime. 


= History statistics are erased from memory when you start a new 
monitoring session or when you change the history interval during a 
monitoring session. 


The numeric view (Figure 3-10) shows the following types of 
information for each interval: 


¢ Interval number 

* Timestamp 

* Number of frames, frames with errors, and bytes 
* Average frame size 


* Percentage of absolute network usage. 


LOBAL HISTORY STATISTICS——————_____—_——Octt. 26 16:36:53 
Time Frames Errs Bytes Size xUsage 


21 Oct 26 16:36:43 17, 468 
16:34:43 28, 984 
16:32:43 24,326 
16:30:43 22, 886 
16:28:43 24,973 
16:26:43 25, 069 
16:24:43 26, 788 
16:22:43 25, 863 
16:28:43 25, 359 
16:18:43 24,168 
16:16:43 26, 289 
16:14:43 26, 366 
16:12:43 26,969 
16:18:43 26, 091 
16:08:43 22,652 
16:06:43 26,378 
16:04:43 24,485 
16:02:43 22,415 


4,533,409 259 7.75 
1,229°993 “249 12°38 
5,747,665 236 9.86 
5,748,709 258 9.83 
6,687,986 267 11.43 
6,382,022 254 10.92 
6,407,011 239 18.99 
6,571,694 262 11.24 
6,205,828 244 18.63 
6,148,575 254 16.51 
6,781,064 257 11.60 
6,715,119 254 11.49 
6,152,979 228 18.56 
6,541,299 249 11.15 M 
5,513,472 243 «9.45 0 
6,595,404 258 11.30r 
6,095,834 248 18.446 
5,471,446 244 9.381 
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Figure 3-10. Global history statistics (numeric view). 
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Displaying Global History Statistics 


The graphic view (Figure 3-11) shows the following types of 
information: 


¢ Interval number 
* Timestamp 


* Percentage of absolute network usage in numeric and graphic 
formats. 


Time sage 2 4 8 


Oct 26 16:36:43 7.75 
16:34:43 12.38 
16:32:43 
16:30:43 
16:28:43 
16:26:43 
16:24:43 
16:22:43 
16:20:43 
16:18:43 
16:16:43 
16:14:43 
16:12:43 
16:18:43 
16:28:43 
16:26:43 
16:04:43 
16:02:43 
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Figure 3-11. Global history statistics (graphic view). 


To display global history statistics: 


1. Move to Global history in the Display menu and press the 
Spacebar. 


2. Move tothe Numeric or Graphic option in the Display \ Global 
history menu and press the Spacebar. 


3. Press F3 (Display) to display the history statistics. 


Press F3 (View earlier) or F4 (View later) to view intervals recorded 
earlier or later. 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


Displaying Station History Statistics 


The monitor collects and displays history statistics for the station you 
specified with the Stn option in the History menu. 


Although the numeric and graphic Station History views include the 
same types of information as the Global History views, you can 
customize the Station History views further to show whether: 


* History statistics include transmissions, receptions, or both 
* Network usage shown is absolute or relative. 


You can collect station history statistics for only one station at a time. 
Also, history statistics are erased when you start a new monitoring 
session or if you change the history interval during a monitoring 
session. If you need to save them, generate a report or save them to 
disk. (Refer to “Generating a Report” on page 6-14 for information on 
creating reports; refer to “History” on page 9-4 for information on 
saving history statistics to disk.) 


Figure 3-12 and Figure 3-13 illustrates the history statistics for the 
station “File Server” in numeric and graphic formats, respectively. 
They both show the station’s transmission and reception traffic 
compared to the network capacity (that is, absolute network usage). 


ABSOLUTE HISTORY STATISTICS TO AND FROM File Server-—————Oct 26 16:39:06 
Time Frames Errs Bytes Size xUsage 


Oct 26 16:38:43 
16:36:43 
16:34:43 
16:32:43 
16:30:43 
16:28:43 
16:26:43 
16:24:43 
16:22:43 
16:28:43 
16:18:43 
16:16:43 
16:14:43 
16:12:43 
16:19:43 
16:28:43 
16:06: 43 
16:04:43 


931,393 1.59 
2,962,188 
4,437,814 
3,261,848 
3,452,364 
4,179,546 
3,939 , 038 
3,772,781 
3, 987,243 
3,778, 333 
3,814,111 
4,395, 663 
4,836,815 
3,773,153 
3,941,129 
3,478, 488 
4,070,686 
3,718,778 
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Figure 3-12. History statistics for “File Server” (numeric view). 
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Displaying Station History Statistics 


Time sage @ 


22. «Oct 26 16:38:43 
Al 16:36:43 
16:34:43 
16:32:43 
16:30:43 
16:28:43 
16:26:43 
16:24:43 
16:22:43 
16:20:43 
16:18:43 
16:16:43 
16:14:43 
16:12:43 
16:18:43 
16:88:43 
16:06:43 
16:84:43 


Figure 3-13. History statistics for “File Server” (graphic view). 


To display the station history: 


1. Move to Station history in the Display menu and press the 
Spacebar. 


2. Define how statistics are displayed. 


a. Move to the Numeric or Graphic option in the 
Display \Station history menu and press the Spacebar. 


b. Move back to the Display menu, and press C to select the 
Class option. 


c. Move to To, From, or Both, depending on whether you 
want to display statistics for receptions, transmissions, or 
both. Press the Spacebar. 


d. Move to Network usage in the Display menu, and then to 
either Absolute or Relative, depending on whether you 
want to show statistics as a portion of the total network 
capacity or as a portion of the total traffic during the 
interval. Press the Spacebar. 


3. Press F3 (Display) to display the history for the selected station. 


Press F3 (View earlier) or F4 (View later) to view intervals recorded 
earlier or later. 
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CHAPTER FOUR: MANAGING THE STATION DATA FILES 4 


General 


Chapter 4. Managing the Station Data Files 


Chapter Overview 


The server's station data files in its C:\ENSNIFF directory contain 
station-specific information. The STARTUP.END file contains station 
addresses and names; it is shipped with the server. The 
STARTUP.ENA file contains the alarm thresholds for each station; it 
is created the first time you change station information. (For further 
information on alarms, refer to Chapter 5, “Working with Alarms.”) 
As the monitor observes the network, it modifies these files by adding 
addresses that have been named. The monitor also assigns the default 
station alarm settings to these stations. 


If both the analyzer and monitor are available on the server, they use 
the same name file. They can modify STARTUP.END, and the change 
affects the operations of both. For further information on how the 
analyzer uses or changes the name file, refer to the Distributed Sniffer 
System: Analyzer Operations Manual. 


—_ You can add stations manually by editing STARTUP.END with the 
DOS command, EDLIN. This lets you name stations that are not yet 
active on the network. 


This chapter describes how you customize the settings associated 
with each station in the data files. The description includes: 


* Displaying station information 

* Identifying stations 

* Assigning names 

* Assigning station alarm thresholds 
* Deleting stations 


* Returning to an earlier version of the data file. 


Displaying and Editing Station Information 


The Edit option in the Manage station menu displays the Manage 
Station Information view (Figure 4-1), in which you modify the 
station data files. Any changes you make are automatically saved 
when you exit this view. You can also display the Manage Station 
Information view by choosing Edit in the Alarm menu. 


The monitor automatically creates a backup copy of each data file the 
first time you modify it after starting the monitor. The backup data 
files are named BACKUP.END and BACKUP.ENA, and are stored in 
the C:\ENSNIFF directory. 
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ANAGE STATION INFORMATION 

Address Name Errors NoRsp Idle Usage Priority 
QO00004EG652 Alex Zwick 25 5 Off 25 Warning 
00000040303 Anthony Serrao j vi orm 
$000084E3420 Barbara Lemmon Warning 
0000004E3126 Barney Ingram Warning 
0000004E7256 Bill Goodman Warning 
$202004E5298 David Brooks Inform 
$000004E2001 Denise Martin Warning 
Q002004E2108 Ed Hicks Warning 
$000004E4302 File Server Warning 
9200004E3504 Fred Biddle Inform 
$022004E0025 George Stanley Inform 
$000004E0062 Helene Milici Inform 
200004E7506 Jack Clayton Inform 
$000004E3249 James Wylie Warning 
$000004E2301 Jill Franz Warning 
Q200004EG654 Ken Quinn Warning 
0000004E0012 Linus Stanwick Warning 
0000004E4523 Mark Ellison Warning 
0020004E3096 Michael Harley Warning 
$000004E8347 Miles Russell i 


1 2 Apply 4Delete—is Editi/ Thres 
Help fidefault| stationl§ Menus Prion lopt ions} 


Figure 4-1. Manage Station Information view. 
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How the Monitor Identifies Stations 


The monitor identifies stations by examining the 12-character strings 
that form the station addresses. Assign names to these addresses for 
the following reasons: 


* Ina statistical view, names are easier to identify than 
addresses. 


* You cannot save changes to station alarm thresholds for 
unnamed stations. 


* Unnamed stations are deleted from the station list if you 
remove the monitor's driver program from the server's 
memory. 


* Unnamed stations trigger alarms when they generate traffic. If 
you do not assign names to the stations, you are unable to tell 
whether an alarm has been caused by an unnamed station, an 
intruder, or a network problem. (Refer to Chapter 5, “Working 
with Alarms,” for further information on unknown station 
alarms.) 


Ed If the address of an unnamed station is specified in any menu item 
before you remove the monitor driver from memory, the monitor 
keeps the address in the station list the next time you start the 
monitor. For example, if the Stn option in the Monitor filters menu is 


4-4 Network 
General 


Editing Station Information 


set to 000000123456 before you remove the monitor driver from 
memory, this address remains in the station list the next time you run 
the monitor. The address is also included in the USERLIST report and 
the Manage Station Information view. Such an address, although 
unnamed, does not cause an unknown station alarm. 


The section “Editing Station Information” describes different ways of 
naming stations. 


Editing Station Information 


Editing station information involves assigning names and alarm 
thresholds. After you assign station names, these names identify the 
stations in other views. 


Naming Stations Automatically 
This section applies only if your server uses the IPX protocol. 


If the stations you want to name are active and are running the same 
NetBIOS stack as the server, you can name them automatically. This 
feature saves you considerable time. 


KO To name stations automatically with NetBIOS: 
1. Move to Manage stations in the Main Menu. 
2. Move to the Probe for names option and press Enter. 


NetBIOS transmits a query to each unnamed address in the 
station list, and the monitor displays messages about the query. 
For example, for the unnamed address “IntrlIn02A939,” the 
monitor displays this message: 


Attempting to name Intr1n@2A939. 


If the unnamed station does not respond, the monitor displays 
this message: 


Intr1n@2A939 did not respond. 


If it receives a response, the monitor assigns the corresponding 
name to the station. After the monitor has finished the naming 
process, the message “Done” appears. To interrupt the process, 
press Esc. 


Naming Stations Manually 


Before naming stations, you must determine which address belongs 
to which station. The USERLIST report helps you identify all stations 
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on the network. After knowing what stations exist on the network, 
you can add the names via the Manage Station Information view. 


Generating the USERLIST Report 


FON 
ey 


To run the USERLIST report: 
Monitor activity for several hours. 
2. Move to Report in the Main Menu. Then select the Load option. 


3. A window containing a list of reports appears. Move to 
USERLIST.SCR and press Enter. The monitor displays the 
information message, “Loading report script,” and returns to 
the Main Menu. 


4. Move to the Report\Print menu. 


5. To view the station addresses on screen, select the Screen 
option. You can also print out the station list by selecting LPT1 
or LPT2. For further information on printing a report, refer to 
the section “Printing a Report Manually” on page 6-15. 


6. Press Cursor Left to move back to the Print option. Press Enter 
to print the USERLIST report. It contains a list of station 
addresses detected by the monitor and the corresponding 
names. If an address is unnamed, the address itself appears in 
the name field. For each unnamed address, write down a name 
you want to assign to it. You will need the name when 
following the instructions in the next section. 


Naming a Station in the Manage Station Information View 


The Manage Station Information view contains alarm threshold 
information for all the stations listed in the USERLIST report. You can 
name a station or change an alarm threshold for a station in this view. 


To move to a station, use Cursor Up and Cursor Down. You can also 
type the first character of a station name or address to move to the 
station. However, if a station is named, you must type the first 
character of the name. For example, if the address “ AB0000040000” is 
named “DEC_LAT,” typing D selects it, but typing A does not. If the 
address “090065333333” is unnamed, press 0 to select it. 


To name a station: 


1. Move to Manage stations in the Main Menu. 


2. Move to the Edit option and press Enter to display the Manage 
Station Information view. 


3. Move to the station you want to nameand press Enter. A dialog 
box appears with a list of the fields you can edit, as shown in 
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Editing Station Information 


the example in Figure 4-2. 


00 00004E0652 25 Warning 
0000004E0303 Anthony Serrao Warning 
9000204E3400 Barbara Lemmon Warning 
$000004E3106 Barney Ingran Warning 
$000004E7256 Bill Goodman Warning 
$000004E5298 David Brooks Warning 
QPOOQL4E2801 DrSTATION 2000004E0652 Warning 
QOQOOB4E2100 E Name = Warning 
0202004E4302 Errors = 25 Warning 
$200004E3504 No response = 5 Warning 
2000004E005 Idle = Off Warning 


ANAGE STATION INFORMATION 
Address Name Errors No Rsp Idle Usage Priority 
2 5 Off 


2000004E0062 Relative usage = 25 % Warning 
O000004E7506 Priority = Warning Warning 


QQOGOB4E3249 J Ise t and | then press EN Warning 
Q200004E2301 Jill Franz 25 5 Warning 
Q000004E0654 Ken Quinn Warning 
0000004E0012 Linus Stanwick Varning 
0200004E4523 Mark Ellison Warning 
9200004E3296 Michael Harley Warning 


000004E8347 Miles Russell 25 5 Off Warning 
se t and | then press ENTER--———————————_ 
6 


‘Retur: 


Figure 4-2. Dialog box for editing station information. 


4. Move to the Name field and press Enter. Another dialog box 
appears. 


5. Type the station name in the dialog box. Station names can be 
up to 16 characters long; all printable characters are allowed. 
After you finish typing, press Enter. 


6. To return to the Manage Station Information view, press F6 
(Return); to change other values in the dialog box, go to the 
next section, “Changing Station Alarm Thresholds in the 
Manage Station Information View.” 


The name is saved automatically when you exit the Manage Station 
Information view. 


The Manage Station Information view alphabetizes the stations 
according to the station names. If a station does not have a name, its 
address is used for sorting. For example, the unnamed address 
“Intrln06E627” is listed after the station named “DEC_LAT” and 
before the station named “LAN Manager.” Also, numerals are listed 
before letters. For example, the unnamed address “09001E000000” 
appears before the station named “ Anthony.” 


The stations may not be in the correct alphabetical order immediately 
after you edited the names. You can see the sorted names only after 
you exit the view and then display it again. 
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Changing Station Alarm Thresholds in the Manage 
Station Information View 


In the Manage Station Information view, you can display a dialog box 
for editing station alarm thresholds as shown in Figure 4~2. For 
further information on alarms, refer to Chapter 5, “Working with 
Alarms.” Be sure to follow the guidelines in that chapter when 
changing alarm thresholds. 


f eS To change the station alarm thresholds: 


1. Move to the Edit option in the Manage stations menu and press 
Enter. The Manage Station Information view appears. 


2. Move to the station whose settings you want to change and 
press Enter. A dialog box appears with a list of fields you can 
edit. 


3. Move to the desired field and press Enter to display an 
additional dialog box. Select or type a value and press Enter. 
For example, in Figure 4-3, a list of possible Errors threshold 
settings is displayed. 


Repeat this step for each threshold setting for the selected 
station. 


ANAGE STATION 

Errors No Rsp Idle %Usage 
(000004E0303 Anthony Serrao 5 Off 

4£3408 Barbara Lemmon 

$200004E3106 Barney Ingram 
$000004E7256 Bill Goodman 
$00204E5298 David Brooks 
0200204E2001 Denise Martin 
9000004E21 208 
QPOOR04E4302 F 
9200004E3504 
9200204E0025 
$000004E0062 
$200004E7506 
0200004E3249 
0000204E2301 
0000004EG654 Ken Quinn 
0000204E0012 Linus Stanwick 
£000004E4523 Mark Ellison 
£200004E3096 Michael Harley 
9000004E8347 Miles Russell 
0000004E0120 Print Server 


RAAAA 


aR 


O 
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Figure 4-3. Errors threshold for station alarms. 


4. Press F6 (Return) to return to the Manage Station Information 
view. 


aoe 


Global Alarm Thresholds and Default Station Alarm Thresholds 


> 


5. Repeat steps 2, 3, and 4 for all the stations you want to edit. 


Changing alarm thresholds during a monitoring session can lead to 
unexpected results. For example, if you change a threshold that has 
already triggered an alarm, no new alarm is triggered when the new 
threshold is reached. Therefore, it is best to make any changes before 
you start monitoring. 


Global Alarm Thresholds and Default Station Alarm 


Thresholds 


When the Manage Station Information view is displayed, you can 
change other alarm thresholds in addition to the ones described in the 
previous section. For example, press F6 to reset the station alarm 
thresholds to the default settings, or F7 to change the global alarm 
thresholds and station default thresholds. You can also change these 
settings with Alarm in the monitor’s Main Menu. For more 
information on thresholds and how to change them, refer to Chapter 
5, “Working with Alarms.” 


Deleting Stations 


You can delete stations from the Manage Station Information view. 
The changes are made to STARTUP.END and STARTUP.ENA as soon 
as you exit the Manage Station Information view. 


To avoid unpredictable results, stop the monitor before deleting a 
station. If a monitoring session is in progress and the Manage Station 
Information view is displayed, press F5 to go to the Main Menu. Then 
press F10 to stop the monitor. (F10 is labeled New monitor on the 
screen when the monitor is off.) 


If the monitor detects the station that you have deleted, it generates an 
unknown station alarm (provided that this type of alarm is enabled). 


To delete a station: 
1. Move to Manage stations in the Main Menu. 


2. Move to the Edit option and press Enter. The Manage Station 
Information view appears. 


3. Move to the station you want to delete and press F4 (Delete 
station). 


+9 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


Returning to the Previous Station Data Files 


When you make a change in the Manage Stations Information view, 

the change is saved to the STARTUP.ENA and STARTUP.END files as 
soon as you exit the view. The first time you modify these files after 

starting the monitor, the monitor creates backup copies of these files 
so that you can always return to the previous station data files. 


KAY To return to the previous station data files: 


1. Move to Exit in the Main Menu and press Enter. The server's 
Main Selection Menu appears. 


2. Select the Exit to the Operating System option. The DOS 
prompt appears. 


3. Change directory to ENSNIFF. 


4. Type COPY BACKUP.ENA STARTUP.ENA at the DOS 
prompt and then press Enter. 


5. Type COPY BACKUP.END STARTUP.END at the DOS 
prompt and then press Enter. 


To return to the server's Main Selection Menu, type MENU at 
the DOS prompt. 


The next time you start the monitor, it uses the settings that were in 
the station data files before they were changed. 
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CHAPTER FIVE: WORKING WITH ALARMS bh 


General 


Chapter 5. Working with Alarms 


Chapter Overview 


This chapter explains how alarms work and describes how to use 
them. It includes instructions for the following tasks: 


* Changing alarm thresholds 

* Displaying the alarm log 

* Acknowledging and clearing alarms 
* Printing alarms 

* Saving alarms to disk. 


= Remember that the alarm log described in this chapter is the one on 
the server, not the console, unless specified otherwise. For 
information on alarms sent to the console, refer to the Distributed 
Sniffer System: Installation and Operations Manual. 


Overview of Alarms 


Figure 5-1 shows how the monitor processes alarms. 


Alarm 1 
Alarm 2 
Alarm 3 
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Alarm Log on the Console ALARM.LOG 


Figure 5-1. Alarm processing. 


When a measured network parameter (for example, the amount of 
idle time or the number of frames with errors) exceeds a predefined 


3 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


Alarm Thresholds 


threshold, the monitor triggers an alarm and sends it to the alarm 
buffer. (It also sends the alarm to the console. Refer to “Sending 
Alarms to the Console” on page 5-5 for more information.) You can 
display the alarms in the buffer, save them to the disk, or print them 
on a printer. 


The monitor is shipped with threshold settings for the entire network 
and for individual stations. You can change both the global and 
station threshold settings. For station thresholds, you can change 
these settings: 


* Thresholds for stations that are already on the network 


* Default thresholds that will be assigned to new stations when 
they are detected. 


The monitor generates several alarms for which you cannot set 
thresholds. These alarms are explained in “Alarms for Which You 
Cannot Set Thresholds” on page 5-13. 


Priority Levels of Alarms 


You can assign a priority level to each station on the network, which 
represents the importance of the alarms the station causes. The 
priority levels are Inform, Warning, Minor, Major, and Critical. An 
“Inform” alarm is the least important, and a “Critical” alarm is the 
most important. For example, if you consider the file server an 
important station on the network, you can specify that the alarms 
caused by the file server are labeled Critical. In this way, you can 
easily distinguish the more important alarms from others when 
viewing the alarm log. 


The alarm priority levels also determine the following: 
* Which alarms are accepted by the console 


¢ The value under “Monitor’s alarm” in the console’s Server 
Status display. 


For more information on the console’s alarm log and Server Status 
display, refer to “Sending Alarms to the Console” on page 5-5 and 
“Acknowledging Alarms” on page 5-14. The Distributed Sniffer 
System: Installation and Operations Manual also provides information 
on these topics. 


All global alarms have the priority level Critical. You cannot change 
this value. 
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Sending Alarms to the Console 


> 


When you log on to a server running the monitor in the foreground, 
the monitor sends the existing alarms in its alarm log to the console if 
they have never been sent to any console or SNMP target. (Refer to the 
Distributed Sniffer System: Installation and Operations Manual for more 
information on sending alarms to an SNMP target.) The monitor also 
sends subsequent alarms to all connected consoles as they occur. 


If the monitor is running in the background, it does not send alarms 
to the connected consoles or SNMP targets. 


Figure 5-2 shows what alarms are sent from the monitor to the 
console, depending on whether the console is logged on to the server 
running the monitor. In this example, the monitor is running 
continuously, and there are no other consoles connected to the server. 


Status of the Console Monitor’s Alarm Buffer Alarms Sent 


Not logged on to the server. [Ajarm #1 
Alarm #2 


Logged on to the server. Alarm #1 
Alarm #2 
Alarm #3 All alarms are sent 
immediately after the 
console is logged on. 


Terminated and then Alarm #1 
logged on to the server Alarm #2 
again. Alarm #3 Only alarm #4 is sent 
Alarm #4 as the other alarms 
have been sent before. 


Figure 5-2. Alarms sent to the console. 


Global Alarm Threshold Options 


Alarms are generated when global counts exceed predefined 
thresholds. For some global alarms (Errors, Usage, and Broadcast), 
you can determine the interval to which the threshold applies. For 
example, after you set the errors threshold at 100 and the interval at 
60 seconds, the monitor triggers an alarm if it detects 100 or more 
frames with errors during each 60-second period. 
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You can determine global alarm thresholds for these parameters: 


Unknown station Determines whether or not the monitor 


Errors 


Usage 


Broadcast 


Idle 


generates an alarm when an unnamed station 
transmits traffic. By default, the unknown station 
alarm is disabled. 


Defines the number (1 to 65,535) of frames with 
errors that triggers an alarm. To turn the alarm 
off, choose 0. You can set the interval to which 
this threshold applies (5 seconds to 60 minutes). 
By default, the number of frames with errors is 
20; the interval is 30 seconds. 


Defines the percentage (1 to 100%) of absolute 
network usage that triggers an alarm. You can set 
the interval to which this threshold applies (5 
seconds to 60 minutes). By default, the 
percentage is 50; the interval is 5 seconds. 


Defines the number of broadcast frames (1 to 
65,535) that triggers an alarm. To turn the alarm 
off, choose 0. You can set the interval to which 
this threshold applies (5 seconds to 60 minutes). 
By default, the number of broadcast frames is 
100; the interval is 5 seconds. 


Defines the length of time (5 seconds to 60 
minutes) the network can be inactive before 
generating an alarm. To turn the alarm off, 
choose 0. By default, the length of time is 15 
minutes. 


All global alarms have the priority level “Critical.” You cannot change 


this setting. 


Station Alarm Threshold Options 


For each station, you can determine the alarm thresholds for these 


parameters: 


Errors 


No response 


Defines the number of frames with errors (1 to 
65,535) a station can transmit before triggering an 
alarm. The default is 100. 


Defines how long a station can be sent frames 
without responding before triggering an alarm. 
To turn the alarm off, choose 0 (the default). The 
possible value can range from 1 to 7 seconds. For 
further information on when the monitor 
generates a no-response alarm, refer to the 
section “Alarm” on page 9-24. 
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Idle Defines the length of time (1 to 120 minutes) a 
station can be inactive (not transmitting) before 
triggering an alarm. To turn the alarm off, choose 
O (the default). 


Usage Defines the percentage of relative network traffic 
(1 to 100%) the station can transmit before 
triggering an alarm. The default is off. 


Interpreting Alarms When Using Monitor Filters 


When you are interpreting alarms, remember that the setting of 
Monitor filters affects the way the monitor generates alarms. 


If Monitor filters is set to one station, the monitor observes only the 
frames that contain this station’s address. As a result, the monitor 
considers only this station and its partners active. It generates idle 
alarms for any stations that are not communicating with the 
monitored station, regardless of whether they have been transmitting 
frames on the network. 


Strategies for Setting Alarm Thresholds 


This section provides some basic strategies for setting thresholds. 
However, finding the thresholds that best suit your particular 
network and preferences requires adjustments as you go along and as 
your network grows. 


7 Changing alarm thresholds during a monitoring session can lead to 
unexpected results. For example, if you change a threshold that has 
already triggered an alarm, no new alarm is triggered when the new 
threshold is reached. Therefore, it is best to make any changes before 
you start monitoring. You can also stop monitoring, make changes, 
and restart monitoring. 


Strategies for Setting Global Alarm Thresholds 
To get started, follow these steps: 
1. Move to the History option in the Main Menu. 


2. Select the broadcast address as the station for which the 
monitor collects history statistics. 


3. Set the Intrvl option to 15 minutes. 


4. Monitor traffic over a period of time, such as an 8-hour 
business day. This gives you an overview of your network’s 
traffic patterns. 
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The following is a list of suggestions for setting various global 
thresholds and handling alarms: 


Usage and errors thresholds 


Display the Global History view and note the highest number 
of errors and usage percentage. Then set each threshold of 
these categories to about 50% higher than the highest recorded 
number. 


Broadcast threshold 


Display the Station History view and note the highest number 
of frames sent to the Broadcast station. Then set the threshold 
to about 50% higher. 


Idle threshold 


Take into consideration the way your network software 
operates. For example, if your software package automatically 
transmits traffic every five minutes, setting the idle threshold 
to six minutes alerts you to any problems within a minute. 


Unknown station alarms 


To avoid triggering the unknown station alarm for legitimate 
stations, be sure to name all known stations. This alarm then 
alerts you to any intruders or new stations. Since faulty bridges 
or bad network interface cards usually generate numerous 
unknown station alarms, this is also a good way to detect 
problems with bridges and cards. 


Be prepared to adjust the thresholds to higher values if you get too 
many alarms. If the alarms that are generated do not alert you to 
potential problems quickly enough, adjust the thresholds to lower 
values. 


To change the global alarm thresholds: 


Ls 


Move to the Alarm\Threshold\Global menu, which lists the 
global threshold settings as shown in Figure 5-3. 


If you do not want the monitor to trigger an alarm when 
detecting an unnamed station, move to Unknown station and 
press the Spacebar. An x preceding this option indicates that 
the alarm is disabled; a V indicates that an alarm is generated 
for each unknown station. Pressing the Spacebar toggles the 
value of this option. By default, the alarm is disabled. 


Move to the field you want to change and press Enter to 
display a dialog box or a list of values. Type a value or move to 
a value to select it, and press Enter again. 


Strategies for Setting Alarm Thresholds 


x Unknown station 
Errors = 20 4 


Edit 4 Interval = 02:38 # 
Auto clear = Off @# 


Thresholds a reel Usage = 58 % 4 
Log to tation defaults Interval = 00:05 4 


Broadcast = 196 4 
Interval = 00:05 @# 


Idle = 15 4 


Specify alarm thresholds for the network as a whole. 


———use the arrow keys to move around in the menu 


i 10 New 
Help monitor 


Figure 5-3. Threshold options for global alarms. 


Strategies for Setting Station Alarm Thresholds 


When setting alarm thresholds for individual stations, pay particular 
attention to devices that handle a lot of traffic, such as file servers and 
gateways. Since these devices are so important to the entire network, 
it is important to adjust their thresholds so that you are alerted to 
potential problems quickly without getting unnecessary alarms. Also, 
assign priority levels to individual stations according to the stations’ 
importance. 


The following is a list of suggestions for setting various station alarm 
thresholds: 


Errors threshold 


Monitor the network for approximately 24 hours. Then 
generate the ERRORS report. (For further information on 
generating reports, refer to Chapter 6, “Creating Reports.”) 
Obtain the highest error count from the report and increase it 
by 50%. Use this number as the errors threshold. However, you 
should adjust this value according to the length of a normal 
monitoring session. For example, if you restart a monitoring 
session every two days, set the threshold to twice the value 
calculated above. Also, if you think the error counts in the 
ERRORS report are abnormally high, you should solve the 
problems that caused the errors before determining the errors 
threshold. 


General 
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¢ Idle threshold 


For devices such as file servers, set the idle threshold as low as 
1 minute to alert you quickly to potential problems. For stations 
that are likely to be turned on and off periodically, set the idle 
threshold to “Off.” 


* Usage threshold 


To identify any stations that use large portions of the network’s 
resources, set a low usage threshold for individual stations. 
Use this information to redistribute heavy users onto different 
network segments to prevent degradation of service to other 
users. 


As with the global alarm thresholds, be prepared to make 
adjustments. 


KA To change the station alarm thresholds and priority level: 


1. Move to the Edit option in the Alarm menu and press Enter. 
The Manage Station Information view appears. 


2. Move to the station whose settings you want to change and 
press Enter. A dialog box appears with a list of fields you can 
edit. 


3. Move to the desired field and press Enter to display an 
additional dialog box. Select or type a value and press Enter. 
For example, in Figure 54, a list showing the possible errors 
threshold settings is displayed. Repeat this step until you finish 
modifying the threshold settings. 


4. Move to Priority = in the dialog box and press Enter. A 
window titled “Station Priority” opens. Move to the desired 
priority level and press Enter. 


5. Press Esc to return to the Manage Station Information view. 


Changing the Default Station Alarm Thresholds 


Errors No Rsp Idle %Usage 
25 5 Off 25 


4E34 arbara Lemmon ERROR! arning 
0200004E3106 Barney Ingram Warning 
9000004E7256 Bill Goodman Warning 
9000004E5298 David Brooks Warning 
0200004E2001 Denise Martin Warning 
9200004E2100 Warning 
Q200204E4302 F N Warning 
9020204E3504 Warning 
90200204EG205 Warning 
0000004E0062 Warning 
O000004E7506 i Warning 
0000004E3249 iori Warning 
9200004E2301 Warning 
9000004E0654 Warning 
$200004E0012 Linus Stanwick Warning 4M 
$000004E4523 Mark Ellison Warning o 
0000004E3096 Michael Harley Warning r 
0202004E8347 Miles Russell Warning e 
1 


9000004E0108 Print Server 5 Warning 
se t and | then press ENTER-————————————___! 


Figure 5-4, Threshold settings for the station errors alarm. 


Changing the Default Station Alarm Thresholds 


When the monitor detects new stations on the network, it assigns the 
default alarm thresholds to the stations as it adds them to the station 
list. If you change these default settings, any stations added to the 
network are assigned the new defaults. If you assign names to these 
stations, the threshold information, together with the station 
addresses, is saved in STARTUP.ENA. 


OO To change the station default alarm thresholds and priority level: 


1. Movetothe Alarms\Thresholds \ Station defaults menu, which 
lists the default station thresholds as shown in Figure 5-5. 
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Edit ¢ 

Auto clear = Off #| Global 

Thresholds Errors = 106 d 

Log to No response = Off ¢ 
Idle = Off ¢q 

Usage = Off d 


Priority = Warningd 


Specify the default alarm thresholds for individual stations. 


se the arrow keys to move around in the menu= 


18° New 
monitor} 


Figure 5-5. Station default alarm thresholds. 


2. Move to the threshold setting or priority level you want to 
change and press Enter. A dialog box ora list of values appears. 
Type in or select a value, and press Enter. 


Resetting Station Alarm Thresholds to Default Values 


After changing the station alarm thresholds for a monitoring session, 
you can easily restore the default thresholds, either for a single station 


or for all stations. Be sure to stop monitoring before resetting alarm 
thresholds. 


WS To reset the alarm thresholds to defaults for a single station: 


1. Move to Edit in the Alarm menu and press Enter. The Manage 
Station Information view appears. 


2. Move to the station you want to reset and press F2 (Apply 
default). The threshold settings for that station change to the 
default values. 


The monitor resets the alarm thresholds for that station to the 
defaults. 


Displaying the Alarm Log 


KI To reset the alarm thresholds to defaults for all stations: 


KOA 1. Move to the Reset thresholds option in the Manage stations 
menu and press Enter. The monitor displays this message: 


Any changes made to station alarm configurations will be lost if you 
proceed. Press ENTER to proceed. Press ESC to cancel. 


2. Press Enter. The monitor displays this message: 


Resetting alarm thresholds. 


Displaying the Alarm Log 


The Alarm Log view displays the contents of the alarm buffer. It lists 
alarms in the order they occurred and shows their priority, the time 
they occurred, the source of the alarm, and the type of alarm. 


Once the Alarm Log view is displayed, you can acknowledge alarms 
or clear them from the alarm buffer. 
Oe To display the Alarm Log view: 


1. Move to Alarm log in the Display menu and press the 
Spacebar. 


2. Press F3 (Display) or press Enter to display the Alarm Log 
view. 


Alarms for Which You Cannot Set Thresholds 


The monitor generates two types of alarms for which you cannot set 
thresholds. Figure 5-6 describes how these alarms are represented in 
the Alarm Log view. When you display the view, you will see the 
actual station name or address under the heading “Source.” 


Alarm Type/Description Cause of the Alarm 


1 or more oversized frame. | Station that sent the A station sent a frame that exceeds 
oversized frame. 1,514 bytes. 


Illegal source address. Broadcast address. A broadcast address sent out a frame 
that was error free. A frame with 
errors from a broadcast address 
shown in the Single Station Statistics 
view does not cause an alarm. Sucha 
frame might simply have a 
corrupted source address, which is 
not necessarily a problem that you 
need to investigate. 


Figure 5-6. Types of alarms for which you cannot set thresholds. 
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Acknowledging Alarms 


To keep track of which alarms have been investigated, you can mark 

® (acknowledge) those alarms in the monitor’s Alarm Log view. It is, 
however, recommended that you acknowledge alarms in the 
console’s alarm log. Refer to the Distributed Sniffer System: Installation 
and Operations Manual for more information on the console’s alarm 
log. 


Acknowledging an alarm on the monitor does not affect the content 
of the console’s alarm log or the console’s audible alarm. However, it 
affects the alarm level shown in the console’s Server Status display. 
Suppose the monitor’s alarm log contains two alarms, one with 
priority level Critical and the other Major. Before the critical alarm is 
acknowledged, the alarm level for this server in the Server Status 
display is Critical. After you acknowledge the critical alarm on the 
monitor, the alarm level changes to Major. 


KO To acknowledge an alarm: 
1. Display the Alarm Log view. 


2. Move to the alarm you want to acknowledge and press F3 (Ack 
alarm). 


AV mark appears in the right column to indicate that you have 
acknowledged the alarm. 


Clearing Alarms 


The alarm buffer can contain up to 200 alarms. When the buffer is full, 
new alarms are deferred until you clear some of the existing alarms in 
the buffer. However, a deferred alarm is lost when the condition that 
caused it no longer exists. In this case, there is no record that the 

deferred alarm occurred because alarms are printed, saved to disk, or 
sent to the console only as they are sent to the monitor’s alarm buffer. 


Effects of Clearing Alarms 


Whether an alarm will recur after you clear it depends on the alarm 
type, as described below: 


* Global errors, usage, or broadcast alarm: 


An alarm is triggered only the first time the threshold is 
exceeded. Additional instances of this event are ignored unless 
you clear the alarm. That is, if the threshold is exceeded again 
after the clearing, the monitor generates a new alarm. 


a 


Clearing Alarms 


Global idle alarm, station idle, usage, or no response alarm: 


An alarm is triggered only the first time the threshold is 
exceeded. Additional instances of this event are ignored unless 
the alarm has been cleared and the condition that caused the 
alarm has been removed. For example, a station alarm is 
generated because a station has been idle for 15 minutes. If it 
continues to be idle after you clear the alarm, no new alarms are 
generated. However, if the station transmits at least once and 
then becomes inactive again for more than 15 minutes, the 
monitor will generate a new alarm for this station. 


Global unknown station alarm or station errors alarm: 


Even if the alarm is cleared from the buffer, the same condition 
does not cause an alarm to appear in the alarm log. 


Different Ways to Clear Alarms 


Clear alarms only when the monitor is running in the foreground. 
You can clear alarms in one of two ways: 


Manually clear alarms one at a time. Clear the alarms as soon 
as you deal with them. 


Use the Auto clear option. The monitor automatically clears 
each alarm after it is in the buffer for a specified period of time. 
This method is recommended because it slows down the speed 
at which the alarms approach the 200-alarm limit. 


When using Auto clear, also enable the Log to option, which 
automatically prints or saves to disk a record of alarms 
generated while the network is unattended. By default, Auto 
clear is set to 1 hour, and the alarms are logged to disk. If you 
are concerned that the alarms occupy too much disk space, 
disable the File option in the Alarm\Log to menu or remove 
the alarm log file regularly. The logging function is described 
in the section, “Using the Monitor’s Logging Function.” 


When you start a new monitoring session, the monitor automatically 
removes all the alarms in the alarm buffer that were generated in the 
last session. 


2 If an alarm has been cleared on the monitor before it is sent to the 
console, there is no record in the console’s alarm log that this alarm 
happened. However, if an alarm has been sent to the console before it 
is cleared, it remains in the console’s alarm log. Refer to the Distributed 
Sniffer System: Installation and Operations Manual for information on 
clearing alarms from the console’s alarm log. 
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To clear individual alarms manually: 


T 
2. 
Se 


Display the Alarm Log view. 
Press F3 (Display) or press Enter to display the alarm log. 


Move to the alarm you want to clear and press F4 (Clear alarm). 
The alarm is cleared from the alarm buffer. 


To clear alarms automatically: 


L: 
2. 
3: 


Move to Alarm in the Main Menu. 
Move to Auto clear = and press Enter. 


In the dialog box, type a value between 1 minute and 99 hours 
and press Enter. 


Using the Monitor’s Logging Function 


The monitor's logging function automatically prints and saves alarms 
as they are sent to the alarm buffer. This assures that there is a record 
of alarms, even after they are cleared from the buffer and the Alarm 
Log view. By default, the monitor saves alarms to the disk. 


Printing Alarms 


You can save the alarms for each monitoring session to disk and print 
them as necessary. Alternatively, you can print each alarm on a 
designated printer as it occurs. 


To print alarms automatically: 


1. 
2. 


Move to the Alarm \Log to menu. 


Make sure a V mark appears to the left of the Printer option. If 
not, press the Spacebar to display the V mark. 


Move to the Alarm \Log to\Printer menu, which includes two 
printer ports. If LPT1 is selected, the file is sent to the printer 
attached to the server; if LPT2 is selected, it is redirected to the 
console. Move to the desired printer port and press the 
Spacebar. 


The printout does not include the name of the server from 
which the alarm log originates. If more than one server sends 
its alarm log to the console’s printer port, it may not be 
immediately clear which server generates the alarm log. Refer 
to the Distributed Sniffer System: Installation and Operations 
Manual for more information on redirecting printouts to 
consoles. 
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Saving Alarms to Disk 


In addition to—or instead of—printing alarms as they occur, you can 
save them to the file ALARM.LOG in the C:\ENALARMS directory. 
You can either append the alarms to those saved during previous 

sessions or reinitialize the file each time the monitor starts monitoring. 


To specify the number of lines per page, move to Page size = in 
the Alarm \Log to\Printer menu and press Enter. A dialog box 
appears. 


Type the number of lines to be printed before a page break and 
press Enter. The number can range from 1 to 256. The default is 
58. 


If the number you specify is greater than the number of lines 
that fit on a page, the printing overlaps the page breaks, which 
might make the hard copy difficult to read. 


It is recommended that you save only the alarms from the current 
session and deal with alarms as they happen. Use the append option 
only for collecting historical information about alarms. Otherwise, the 
ALARM.LOG file eventually becomes huge. 


To save alarms automatically: 


1. 
2. 
3. 


Move to the Alarm\Log to menu. 
Move to the File option. 


If necessary, press the Spacebar to make sure a V mark appears 
to the left of the File option. 


Move to Clear alarm file in the Alarm \Log to\File menu. To 
append the current alarms to existing alarms from previous 
monitoring sessions, press the Spacebar to display the x mark 
to the left of the option. To overwrite previous alarms, press the 
Spacebar to display a V mark. 


The monitor saves the current alarms in ALARM.LOG in the 
C:\ENALARMS directory. 


To view ALARM.LOG: 


a: 


Select the Exit option in the Main Menu and press Enter. The 
Monitor selection menu appears. 


Select the Exit to the Operating System option. When the DOS 
prompt appears, use the DOS command, TYPE, to view the 
ALARM.LOG file. 


To return to the Monitor Service Menu after viewing the file, 
type MENU at the DOS prompt and press Enter. 
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(or at any other time the monitor application is not running in the 


— The ALARM.LOG file is not updated while you are viewing it in DOS 
foreground). 
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Network 


Chapter 6. Creating Reports 


Chapter Overview 


In addition to viewing network statistics, you can create customized 
reports that show these statistics in any combination, sorted and 
arranged according to your preferences. You can use these reports to 
document your network activities, justify the need for hardware 
upgrades, compare network performance over time, and so on. 


This chapter provides an overview of the sample report scripts 
shipped with the monitor and describes the following tasks: 


* Loading a report script 
* Previewing a report 


* Printing or saving a report to disk, in either normal or 
delimited file format 


* Creating or editing a report script. 


Sample Reports: An Overview 


The monitor comes with report scripts you can use or modify. A 
report script is a template that defines which statistics are included in 
the report and how these statistics are arranged on the screen or page. 
When you generate a report from a report script, the monitor supplies 
the statistics, inserts them into the report script, and then prints or 
saves the report to disk. 


You can use the same report script over and over. The types of 
statistics and the format of the report remain constant; only the 
statistics change each time you print a report. 


When you use the monitor for the first time, the only report scripts 
you can use are the sample report scripts shipped with the product, 
which are described later in this chapter. If none of these report scripts 
suits your needs, create a new report script or edit an existing script. 
Then save this new report script for future reports. You must name 
and save this newly created script before you can use it. 


These are the script files stored in the directory 
C:\ENREPORT\SCRIPTS: 


* ERRORS.SCR 
* ETYPES.SCR 
* FPRAMSIZE.SCR 
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* HISTORY.SCR 

¢ LISTENRS.SCR 

* TALKERS.SCR 

¢ USERLIST.SCR 

* USERS.SCR 

* USERSCSV.SCR. 


All of the sample report scripts contain the server’s NetBIOS address 
(if the server runs the IPX protocol) or IP address (if the server runs 
the TCP/IP protocols). 


ERRORS.SCR 


The report based on ERRORS.SCR shows the 10 stations that 
transmitted the most frames with errors. The stations are sorted in 
descending order by the number of errors. Only the stations that have 
sent at least 5 frames with errors are included. 


The report shows the following types of statistics: 
* Time monitoring started 
* Time monitoring stopped 
* Duration of the monitoring session (elapsed time) 
* Total number of stations. 
Information displayed for each station includes: 
* Sort position 
* Station’s name 
* Number of frames from the station 
* Number of frames with errors from the station 
* Number of bytes from the station 
* Average size of the frames from the station 


* Percentage of absolute network usage by the traffic from the 
station. 


Figure 6—1 is an example of a report based on ERRORS.SCR. 


a 


Sample Reports: An Overview 


ETYPES.SCR 


Server: 91.8.8.27 
Top 18 Errors 


This report provides statistics for the 18 stations which have 
transmitted the most frames with errors. Stations must have 
transmitted at least 5 frames with errors to be included in this 
report. 


Monitoring Started: Oct 84 89:52:32 Total Stations: 26 
Monitoring Stopped: Oct 24 09:56:03 
Elapsed Time: 6 day(s) 60:23:31 


Frames Bytes Size % Abs 


Print Server 627, 726 71 
File Server 1,685,407 134 
William Griffith 472,134 560 


Hit Esc to quit, any key to continue 


Figure 6-1. Errors report. 


The report based on ETYPES.SCR shows the distribution of Ethertype 
values. The report includes the protocol type categories, number of 
bytes per category, and the percentage of bytes per category. It also 
includes a graph to illustrate the percentages. Figure 6—2 is an 
example of an Ethertypes report. 
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FRAMSIZE.SCR 


Server: 91.8.8.27 
Ethertype Protocols 


This report supplies Ethertype protocol type distribution information. 


Ethertype Bytes Total @ 298 4g 62 89 100 


g 
g 
g 
g 
g 
g 
g 
g 
g 
g 
g 


5,914,316, 781 
366,312 


Hit Esc to quit, any key to continue 


Figure 6—2. Ethertypes report. 


The report based on FRAMSIZE.SCR shows the frame size 
distribution. It includes the frame size categories, the number of 
frames per category, and the percentage per category. The report also 
contains a graph that illustrates the percentages. The report contains 
the same information and has the same format as the display 
generated when you select Frame sizes in the Display menu. Figure 
6-3 is an example of a report based on FRAMSIZE.SCR. 
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HISTORY.SCR 


Server: 91.8.8.27 
Frame Sizes 


This report supplies frame size distribution information. 


Size Frames Percent 9 28 40 62 82 


Under 68 g 8.28 
60 g 2.00 

61- 128 15,278 26.24 
129- 256 12,028 20.63 
257- 512 12,373: 21:22 
513-1824 8,721 14.96 
257- 512 3,446 5.94 
513-1824 1,431 2.45 
1825-1514 3, 406 5.84 
Over 1514 1,603 2.75 


Hit Esc to quit, any key to continue 


Figure 6-3. Frame sizes report. 


The report based on HISTORY.SCR shows absolute network usage 
during each history interval. It includes a graph with a scale of 10% to 
illustrate the network usage percentages. Figure 6-4 is an example of 
a report based on HISTORY.SCR. 
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LISTENRS.SCR 


Server: 91.8.8.27 


History 


This report provides traffic history information. 


Time Usage @ 2 4 6 8 18 


41 Oct 18 16:19:28 11.63 
18 16:18:08 12.84 
16:17:08 9.88 
16:16:88 12.25 
16:15:28 8.93 
16:14:28 11.44 
16:13:28 12.23 
16:12:28 12.88 
16:11:08 13.74 
16:10:08 11.27 
16:29:08 11.45 


FMW LUNAN@wWWwo 


Hit Esc to quit, any key to continue 


Figure 6-4. History report. 


The report based on LISTENRS.SCR shows statistics for the 10 
stations that received the most traffic during the most recent 
monitoring session. 


Stations are sorted in descending order by the number of bytes 
received and filtered by sort position to display the 10 stations that 
received and transmitted the most bytes. 


The report shows the following types of overall information: 

* Time monitoring started 

* Time monitoring stopped 

* Duration of the monitoring session (elapsed time). 
Information shown for each station includes: 

* Sort position 

* Station’s name 

* Number of bytes to the station 

* Number of frames with errors to the station 


* Average size of the frames to the station 


Network 
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TALKERS.SCR 


* Percentage of relative network usage by the frames to the 
station. 


Figure 6-5 is an example of a report based on LISTENRS.SCR. 


Server: 91.8.8.27 
Top 18 Listeners 


This report provides statistics for the 1@ stations which have 
received the most traffic. The stations are sorted by bytes 
received. 


Monitoring Started: Apr @2 13:48:45 
Monitoring Stopped: Apr 25 11:47:39 
Elapsed Time: 2 day(s) 22:86:54 


Name Bytes Errors Size % Rel 


Novel1120543 1,356,676, 739 
Intr1n@88C3D 971,467,916 
Intr1ng81766 826,495,728 
Intr1n@6C996 625, 431, 788 
Intr1n@32E5B 417,493, 418 
Intr1n@6E8C5 289 , 686, 844 
Intr1n@816F5 130,335,236 
Intr1n030848 129,682,930 
Intr1n@7FCDS 109,552,782 


co 


BVanVneWe sao 


1 
2 
3 
4 
5 
6 
7 
8 
5 


Hit Esc to quit, any key to continue 


Figure 6-5. Listeners report. 


The report based on TALKERS.SCR shows statistics for the 10 stations 
that transmitted the most traffic during the most recent monitoring 
session. 


Stations are sorted in descending order by the number of bytes 
transmitted and filtered by sort position. The report includes the 10 
stations that transmitted most traffic. 


The report shows the following types of general information: 
* Time monitoring started 
* Time monitoring stopped 
* Duration of the monitoring session (elapsed time) 
* Total number of stations 
* Time when the report was generated. 
Statistics shown for each station include: 
* Sort position 


¢« Station’s name 
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* Number of bytes from the station 
* Number of frames with errors from the station 
* Average size of the frames from the station 


* Percentage of relative network usage by the frames from the 
station. 


Figure 6-6 is an example of a report based on TALKERS.SCR. 


Server: 91.8.8.27 
Top 1% Talkers 


This report provides statistics for the 1@ stations which have 
transmitted the most traffic. The stations are sorted by bytes 
transmitted. 


Monitoring Started: Oct 84 29:52:32 Total Stations: 26 
Monitoring Stopped: Oct 04 18:19:17 
Elapsed Time: @ day(s) 00:26:45 


Report Generated: Oct 04 18:19:17 


Bytes Errors Size % Rel 


Denise Martin 11,198,778 1748 14.46 
File Server 11,127,643 126 14.38 
Ed Hicks 9,177,893 1477 11,86 
Linus Stanwick 8,549,913 1362 11.25 
Mark Ellison 7,455, 412 1138 9.63 
Steven Anderson 6,183, 827 975 7.89 
Print Server 4,351, 201 72 5.62 


Hit Esc to quit, any key to continue 


Figure 6-6. Talkers report. 


USERLIST.SCR 


The report based on USERLIST.SCR lists the physical addresses and 
names of all stations that are in the station list, sorted by address in 
ascending order. No filters are used to limit the number of stations. 
This report is useful for you to view the names assigned to addresses. 
You can use it to set up the monitor station data file, STARTUP.END. 
Figure 6-7 is an example of a report based on USERLIST.SCR. 
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USERS.SCR 


Server: 91.6.9.27 
Station List 


This report lists the physical address and assigned name of each station. 
The stations are sorted by address. 


Q220204E2025 George Stanley 
$202004E0012 Linus Stanwick 
Q202004E0062 Helene Milici 
Q202004E0100 Print Server 
$002204E0257 Wes Harding 
$202004E0303 Anthony Serrao 
$000004E033E Robert Hayes 
QPQBQ04EG652 Alex Zwick 
Q200004EG654 Ken Quinn 
$200004E2001 Denise Martin 
QQ00004E2108 Ed Hicks 
Q000004E2301 Jill Franz 
00020004E2384 Tom Brown 
0000004E3096 Michael Harley 
0002004E3106 Barney Ingram 


Hit Esc to quit, any key to continue 


Figure 6-7. User list report. 


The report based on USERS.SCR shows transmission and reception 
statistics for all stations, sorted in ascending order (alphabetically) by 
name. No filters are used to limit the number of stations. 


The report shows the following types of statistics: 

* Time monitoring started 

* Time monitoring stopped 

* Duration of the monitoring session (elapsed time). 
Statistics shown for each station include: 

* Sort position 

* Station’s name 

* Number of frames to and from the station 

* Number of frames with errors to and from the station 

* Number of bytes to and from the station 

* Average size of frames to and from the station 


* Percentage of relative network usage by the frames to and from 
the station. 


Figure 6-8 is an example of a report based on USERS.SCR. 
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USERSCSV.SCR 


Server: 91.6.8.27 
All Users 


This report provides combined transmit and receive statistics for all 
stations. The stations are sorted by name. 


Monitoring Started: Oct 64 89:52:32 
Monitoring Stopped: Oct 04 18:28:52 
Elapsed Time: 6 day(s) 00:36:28 


Bytes Size 


Alex Zwick 15,922 1,622,561 
Anthony Serrao 16,333 779 , 284 
Barbara Lemmon 15,628 2,157,874 
Barney Ingram 15,922 1,798,938 
Bill Goodman 15,623 1,988, 423 
David Brooks 15,730 1,122,354 
Denise Martin 15,692 14,538,327 
Ed Hicks 15, 438 12,876,394 
File Server 228,991 59, 133,279 
Fred Biddle 16,135 1,022, 437 


1 
2 
3 
4 
5 
6 
7 
8 
9 
V4) 


ro 


Hit Esc to quit, any key to continue 


Figure 6-8. Users report. 


The report based on USERSCSV.SCR shows the same information as 
the USERS report, but ina comma-separated-values (CSV) format that 
allows you to import the information into spreadsheets, databases, or 
other applications that use the CSV format. The CSV format is also 
called “delimited format.” Refer to “Report File Format” on page 6-13 
for more information on definitions of different formats. 


Figure 6-9 is an example of a report based on the USERSCSV script. 
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“Server”, “Name”, "Frames", "Errs”, “Bytes”, "Size", "% Rel” 
"91.8.8.27 “| “Apollo Domain “ g 
g 8, 8.00 


"941.8.0.27 ‘a “Atalk Broadcast we 
) 0, 0.00 


"91.6.0.27 “| “Broadcast 
356278, 262, 8.22 
"91.8.8.27 "| “DEC_Argo Console”, 

6, 08.20 


8, ».. Ms 
"91.6.8.27 ", “DEC_Bridges 


8, 6.00 
"91.8.8.27 , "DEC Console 
"91.8.8.27 


8 
i) 8, 6.00 
", "DEC Encryption 
Q, 8, 8.20 
"91.8.6.27 "| “DEC_END_ nodes 
i) 6, 0.00 
"91.8.8.27 
Vi) 


"91.8.8.27 iv 

8, 5 : 

"91.6.8.27 “| “DEC_LAT Units 
1913828, 96, 0.14 


Hit Esc to quit, any key to continue 


Figure 6-9. Users report (delimited format). 


Report File Format 


Normal Format 


Delimited Format 


A report can be in normal format or delimited format. The only 
sample report script in delimited format is USERSCSV.SCR. 


The normal file format is the default format. Numbers that are 1,000 
or greater are printed with embedded commas (for example, 
1,100,000) in normal file format. Figure 6-1 is an example of an Errors 
report in normal file format. 


A report in delimited format contains no page breaks and embedded 
commas within fields. Figure 6-9 is an example of a report in 
delimited format. 


The delimited format allows you to import the file into other 
applications, such as spreadsheets and databases. For example, you 
might want to show the comparative usage of your network servers 
in a pie chart. After creating a report that provides those statistics and 
then importing that report into a spreadsheet application program, 
use the spreadsheet program’s graphics capabilities to create a pie 
chart based on your report. 
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To separate the fields from each other, insert a comma between the 
fields in the report script. Also, if a field is a character string (for 
example, a station name), use quotation marks to enclose the 
character string. 


— If the application program into which you want to import data 
requires additional formatting, make these changes in your report 
script. Refer to the application’s documentation for details about 
required filenames, field formats, and other considerations. 


Refer to “Creating or Modifying a Report Script” on page 6-18 for 
information on specifying a report script’s file format. 


Generating a Report 


To generate a report, you must first load into memory the report script 
that specifies the statistics you want to include. When you display, 
print, or save this report, the monitor automatically inserts the 
statistics from the current monitoring session. 


Loading a Report Script 


KO) To load a report script: 
wy 


1. Move to the Report menu. 


2. Select the Load option and press Enter to display the list of 
available reports, including the sample report scripts and any 
other report scripts that have been saved. 


3. Move to the report you want to load and press Enter. 


You can edit a report script once you load it. In addition, you can do 
any of the following to the report generated by the script: 


¢ Preview it on the screen 
* Print it on a printer 
¢ Save it to the disk 


* Clear its contents. 


Previewing a Report 


You can preview a report by printing it to the screen. 


KAN To preview a report: 
1. Load the desired report script. 


2. Move to Edit in the Report menu and press Enter to display the 
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Report Script Editor view, which contains the script you 
loaded. 


Press F9 (Screen test) to display the report generated by the 
script. If the report consists of more than one screen, press any 
key to see the next screen. To return to the script, press Esc. 


Printing a Report Manually 


You can print the report on a printer you designate. You can also 

specify the number of lines to be printed before the monitor inserts a 
page break and report header if the report is in normal format. Refer 
to “Report File Format” on page 6-13 for more information on report 


formats. 


To print a report manually: 


1. 
2. 


Load the desired report script. 


Move to the Report\Print menu to select the device to which 
the report is printed. You can select among these options: 


Screen displays the report on the screen. 
Device LPT1 prints the report on the server's printer port. 
Device LPT2 redirects the printing to the console. 


File saves the report to the disk. (Refer to “Saving a Report 
to Disk” on page 6-18 for more information.) 


If Delimited format in the Report \Edit menu is enabled, go to 
step 4. 


Do you need to change the number of lines per page? 


If yes, move to Page size =, and press Enter. In the dialog 
box that appears, type the desired number of lines, or turn 
off the option by typing 0. Press Enter after you finish 
typing. 

When the monitor inserts a page break, it also prints the 
header text (for example, the title of the report or a 
description of the report as defined in the report script). If 


this option is turned off, the monitor does not insert any 
page breaks in the printout. 


If the number of lines you specify exceeds the length of the 
page, the monitor prints the number of lines you specified, 
overlapping the page break. 


If no, go to step 4. 


4. Move to Print in the Report menu and press Enter. 
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5. A dialog box appears. Type the filename under which the 
report is saved. 


Printing a Report Automatically 


You can specify that the monitor prints out a report regularly. This 
feature is available only if the monitor application is operating in the 
foreground. 
To print a report automatically: 
1. Load the report script: 
Move to the Report \ Auto print menu. 


b. Select the Report = option and press Enter. A list of report 
scripts appears. 


c. Move to the desired report script and press Enter. 
2. Specify the time when the first report is printed: 
a. Move to Start time = and press Enter. A dialog box appears. 


b. Do you want to start printing the report immediately? If 
yes, type 00:00. If no, specify the time in hh:mm format. 
Press Enter when you finish typing. 


3. Specify how often the report is printed: 
a. Move to Interval = and press Enter. A dialog box appears. 
b. Type the time interval in hh:mm format and press Enter. 
4. To print to disk, go to step 5. 
To print to a printer: 
a. Enable the Print to device option. 


b. Specify the printer port in the Report \ Auto print\Print to 
device menu. Device LPT1 is for the printer attached to the 
server; Device LPT2 is for redirecting the report to the 
console. You can also specify the page size in this menu. 


c. Go to step 6. 
5. To print to disk: 
a. Enable the Print to disk option. 


b. Move to the Report \Auto print \Print to disk menu. To 
specify that the monitor prints each report to a separate file, 
select Multiple files; to specify that the monitor prints all 
reports on the same day to one file, select Single file. 


6. To restart a monitoring session after a report is printed, move 
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back to the Report\ Auto print menu to enable the Restart 
monitor option. 


For information on how the monitor names the reports generated 
automatically, refer to the section, “Filenames for Automatically 
Generated Reports.” 


Terminating Automatic Report Generation 


When the monitor is printing a report automatically, this message 
appears: 


Generating automatic report. 


If you want to terminate the automatic report generation, press the 
Esc key while the above message is displayed. The monitor stops 
printing immediately and displays the following message: 


Automatic report generation aborted. 


Subsequent report generation is not affected. For example, if Interval 
is set to 1:00 and Restart monitor is enabled, the monitor prints a 
report every hour and starts a new monitoring session after each 
printing, regardless of whether you have aborted automatic report 
generation. 


Filenames for Automatically Generated Reports 


The monitor names the automatically generated reports according to 
the file creation dates in either of these forms: ARYYMMDD.RPT. and 
YYMMDDNN.RPT. (The extension is CSV if the report is in delimited 
format. Refer to “Report File Format” on page 6-13 for more 
information on different file formats, and “Creating or Modifying a 
Report Script” on page 6-18 for selecting the desired format.) 


For example, if you specify that all reports are automatically printed 
to a single file, a file created on April 28, 1991, is named 

AR910428.RPT. The monitor creates a new file after midnight. In this 
example, the new file created after midnight is named AR910429.RPT. 


If you specify that each report is automatically printed to a separate 
file, the number of the report follows the date. For example, the first 
report generated on April 28, 1991, is named 91042801.RPT, the 
second report on the same day is named 91042802.RPT, and so on. If 
the monitor has already printed 99 reports on this day, the next report 
is printed to 91042801.RPT, overwriting the first report created. 


Reports generated automatically are stored in the C:\ENREPORT 
directory. 
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Saving a Report to Disk 


You can save a report to preserve the statistics generated during a 
monitoring session. 
To save a report to disk: 
1. Load the desired report script. 
2. Move to Print, then to File, and press the Spacebar. 
3. Move back to Print and press Enter to display the dialog box. 
4. Type a filename without the extension and press Enter. 


The monitor saves the report to the server’s C:\ENREPORT directory 
and appends the extension RPT or CSV to its filename, depending on 
the file format. 


Creating or Modifying a Report Script 


If existing report scripts do not meet your needs, you can create anew 
report script or modify an existing script. For example, to replace the 
“Bytes” column in the TALKERS report script with “Frames,” simply 
change the column heading and the associated code. You can make 

any substitutions you wish in this way to create customized reports. 


The procedure of creating a report script includes the following tasks: 


* Clear the contents of an existing report script in the Report 
Script Editor view if one is loaded. 


* Enter text. 
* Define which statistics (fields) to include in the report. 


* Define which field to use to sort the report, in either ascending 
or descending order. 


* Define one or two filters to further refine the report so that the 
report contains only the stations that you are interested in. 


* Define the report format. 


* Determine the report’s appearance by adding or deleting blank 
lines, or by adding special characters such as horizontal and 
vertical lines. 


* Preview the report. 


* Save and rename the report script for future use. 
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To create a blank report script: 


1. 


Select the Edit option in the Report menu. 
Have you loaded a report script? 


If yes, that script appears. Follow steps 2 through 4 to clear the 
script. 


If no, a blank report script appears in the Report Script Editor 
view. Go to the next procedure to start editing a report script. 


To clear an existing report script, press F6 (Edit options). The 
edit options appear. 


Move to Clear and press Enter. This message appears: 


Clearing report script. 


4. Press F6 (Return) to display a blank report script. 


To edit the fields in a report script: 


The types of statistics in a report depend on what report fields are 
included in the script. The following procedure shows how to edit the 
fields. The TALKERS report script is used as an example. The 
procedure shows just one way to edit a report script. Once a report 
script displays, you can vary the order in which you do various tasks 
or skip those tasks not relevant to your needs. 


ie 


To define which statistics to include, position the cursor where 
you want the field to appear. Then press F2 (Insert field) to 
display the list of available fields. The screen shown in Figure 
6-10 appears. (For definitions of the report fields, refer to 
Appendix B, “Report Fields.”) 
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-REPORT SCRIPT EDITOR 


FIELD 
Global Errors Station From To Both 


SrvrAddr Runt Sort Pos Partner Partner Partner 
Stations Align Address % Usage % Usage % Usage 
% Usage CRC Name Frames Frames Frames 
Frames TotErrs Hist Stn Errors Errors Errors 
Bytes  Unsaved Text Bytes Bytes Bytes 
Avg Size Missed CSV Ret Avg Size Avg Size Avg Size 


First Tot Lost First First First 
Last Last Last 
Elapsed Elapsed Elapsed 
History History History 


FrmSizes 
Etypes 


Figure 6-10. Report fields that can be inserted into a report script. 


2. Move to the first field you want to display and press Enter. It is 
® recommended that you include the server’s address (SrvrAddr 
under the heading “Global”) in the report script. In this way, 
when you print out the report from the console, you can 
identify the server that generated the report. If the server runs 
the NetBIOS protocol, it displays the NetBIOS address; if it 
runs the TCP/IP protocols, it displays the IP address. 


Some of the fields provide several options for you to further 
customize the field. For example, after you select the % Usage 
field, a window appears, which contains Absolute and 
Relative. These options correspond to the absolute and relative 
percentages of network usage. Use the cursor keys to move to 
the appropriate option and press Enter. 


A code (for example, @ss@) appears on the screen. When the 
monitor compiles the report, it automatically substitutes a 
value for that code. 


3. Position the cursor for the next field, with at least one space 
after the previous field. Also, be sure that the end of the field 
does not exceed the end of the line. 


4. Press F2, select the second field you want to display, and press 
Enter. (For the Talkers report, you would select Name under 
the heading Station). 


Repeat steps 2, 3, and 4 until you have defined all the fields. 
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5. To enter text, use the cursor keys to move the cursor to the 
desired place and start typing. For example, you might want to 
enter explanatory text or headers for the fields you selected. 
The upper-right corner identifies the cursor position by row 
and column to help you place the cursor precisely. The DEL 
key deletes the current character. The Ins (Insert) key inserts 
characters; if you have not pressed Ins, the character you type 
overwrites the current one. 


Figure 6-11 shows the codes for the fields of the TALKERS 
report and the explanatory text. Each report script can contain 
up to 58 lines. 


When you enter the @ symbol in your report, the monitor 
displays @@ to differentiate your input from the keyboard 
from the @ symbols used as delimiters in the field codes. When 
you send the report to the printer, the report correctly prints 
the @ sign you typed. 


-REPORT SCRIPT EDITOR---————TALKERS . SCR: 
Server: @GSERVER ADDR. .e 


Top 1% Talkers 


This report provides statistics for the 18 stations which have 
transmitted the most traffic. The stations are sorted by bytes 
transmitted. 


Monitoring Started: @GMON START...¢@ Total Stations: ecse 
Monitoring Stopped: eGMON END 
Elapsed Time: @GMON ACTIVE e 


Report Generated: eGCURRENT TIMEe 


Bytes Errors Size % Rel 


eSse @ @FERe eFAVe  eéFUREe 


il 2Insert™3Insert#4Delete—is 6 Editi? BRepeat#9Screen 
Help § field§ line—i line™l Menus fMfoptions™ Chars charg test 


Figure 6-11. Talkers report script. 


To sort and filter statistics in a report: 


1. When the Report Script Editor view is displayed, press Fé (Edit 
options). A list of edit options appears. 


2. Move to Report settings, and then to Sort by to display the sort 
options. A display as shown in Figure 6-12 appears. 


etworg’ 6-21 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


-REPORT SCRIPT EDITOR---—————TALKERS . SCR 


Ascending 
Descending 
Load 
Report settings Name 


Save Partner's name 
Clear x Active stns only Frames 
Print Errors 


Auto print x Delimited format Bytes 
Average size 
Y Filter 1 Network usage 
ore! lore! 
Select the field by which the stations will be sorted. 


se the arrow keys to move around in the menu 


Dp fo 
Menus fi Return 


Figure 6-12. Options for sorting statistics in a report. 


Follow these steps to specify how the statistics are sorted: 


a. Move toand select the To, From, or Both option by pressing 
the Spacebar. This option is applicable if the sort key (to be 
selected in step c) is related to the traffic direction. For 
example, if the sort key is Frames, the To, From, or Both 
option determines whether frames sent to, received by, or 
both, are used as the sort key. If the sort key is Name, this 
option does not affect how the stations are sorted. 


For the TALKERS report, select the From option to sort the 
stations according to the amount of traffic from the stations. 


b. Move to and select either Ascending or Descending to 
select the sort order. 


For the TALKERS report, select the Descending option. 
c. Move into the list of sort keys and press the Spacebar. 
For the TALKERS report, select Bytes. 


As a result of these specifications, the Talkers report displays 
the stations that transmit the most bytes in descending order. 
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3. To include only the stations that have sent or received frames, 
select the Active stn only option for Report settings. A V mark 
preceding the option indicates that it is selected. An x mark 
indicates that it is not selected. If the option is not selected, 
every station, regardless of whether it has received or sent 
traffic, is included. 


4. Select filters to limit the stations to be displayed in the report. 
Follow either of these steps to choose the filter, depending on 
the number of filters you need: 


* To use one filter, move to Filter 1. If necessary, press the 
Spacebar to display the V mark. Then move to Filter 2. If 
necessary, press the Spacebar to display the x mark to 
disable the second filter. 


* Ifyou want to use a second filter, decide whether you want 
the statistics to pass either filter or both filters, and select the 
appropriate operator option (OR or AND). Then move to 
Filter 2 and make sure it is selected (that is, aV mark should 
precede the Filter 2 option). 


If you select two filters with the AND option, the station 
must fulfill the conditions defined by both filters to be 
included in the report. If you select the OR option, the 
station is displayed if it meets the conditions of either filter. 


5. To specify the conditions for a filter, move to the panel to the 
right of the Filter option. There are two lists on the panel. 
Follow these steps to select the items on the lists: 


a. Youcan limit the stations to be included in the report based 
on any of these criteria: Sort Position, Name, Partner's 
name, Frames, Errors, Bytes, Average size, First activity, 
Last activity, Elapsed activity, Address, Absolute usage, 
and Relative usage. They are shown in the second list on 
the panel. 


For example, you can specify that the station be included 
only if its average frame size is between 100 and 1,000. 


To select a criterion, follow these steps: 


1) Move to the desired item on the second list and press 
Enter. A dialog box appears. The dialog box shows the 
default minimum and maximum values. 


2) Move to the value you want to modify, then press Enter. 
Another dialog box appears. 


3) Type the desired value and then press Enter. The dialog 
box with the values that you set appears. Press Esc or F6 
to return to the menu. 
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(For the Talkers report, you would select the Sort position 
as Filter 1 and specify a minimum value of 1 anda 
maximum value of 10 to include the top 10 users.) 


The first list determines the direction of traffic to which the 
criterion you specified in step a applies. If you specified 
Frames in step a, determine whether this condition should 
apply to the traffic from or to the station, or the traffic in 
both directions. For example, you can specify that the 
monitor count only the stations transmitting frames whose 
average size is between 100 and 1,000 bytes. 


To specify the direction, move to To, From, or Both in the 
first list. Then press the Spacebar. 


After changing a filter value, immediately press Cursor Left 
to return to the Filter 1 option. This ensures that you do not 
accidentally change the new value by viewing other filter 
values. 


If you are specifying two filters, repeat this step for the second 
filter. 


To define a report's file format: 


In the Report settings menu, press the Spacebar to enable or disable 
the Delimited format option. (If currently the Main Menu is 

displayed, go to the Report\Edit menu to set the Delimited format 
option.) 


To refine a report’s appearance: 


ds 


Add or delete blank lines or special characters such as up, 
down, right, or left ruling lines. 


a. 


To add or delete lines, use the F3 (Insert line) or F4 (Delete 
line) keys. 


To add headers, use the cursor keys to position the cursor 
above the fields you want to describe. Then type in the text. 


To add special characters, press F7 (Chars) to display a list 
of available characters. Move to the desired character and 
press Enter. To repeat the character, use the cursor keys to 
position the cursor on the character and press F8 (Repeat 
chars) to make a continuous line or other special display. 


To see how the report will appear with statistics, press F9 
(Screen test). 


Press Esc to return to the script. You can now make any 
additional changes to the report script. 
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To print or save the report, press F6 (Edit options). A list of edit 
options appears. Move to Print, and then either designate a printer or 
choose File. (See “Printing a Report Manually” on page 6-15 and 
“Saving a Report to Disk” on page 6-18 for a description of the 
associated options.) 


Recommendations on Report Editing 


The following is a list of recommendations that might help you edit a 
® report script: 


If you are modifying an existing report script, remember to edit 
the text preceding the statistics after you set up the fields so 
that the text correctly describes the report. 


When you view the statistics, it would be helpful if the sort key 
is consistent with one of the fields included in the report script. 


For example, the LISTENRS report script includes the TBYTE 
field, which represents the number of bytes sent to each of the 
stations in the report. It is recommended that you sort the 
statistics using the To option. In this way, the statistics 
represented by TBYTE are sorted in descending or ascending 
order, depending on your choice. 


If you sort the statistics using the From option, the stations are 
arranged according to the amount of traffic transmitted. This 
makes the report hard to read because none of the statistics in 
the report are related to transmissions. 


Use the AND operator carefully if you are defining two filters. 
When used correctly, it can eliminate the stations that you are 
not interested in. However, it may yield unexpected results if 
you inadvertently define conflicting conditions for the filters. 


The following are examples showing how the filters interact 
with the AND operator for the LISTENRS report script: 


Example 1 


For filter 1, To and Average size are selected. The minimum 
and maximum frame sizes are 0 and 500, respectively. 


For filter 2, To and Errors are selected. The minimum and 
maximum numbers of errors are 1 and 65,535, respectively. 


The report generated by the LISTENRS report script counts 
only the stations that have received frames whose average size 
is 500 bytes or less and that have received between 1 and 65,535 
error frames. You are eliminating the stations that have not 
transmitted frames with errors as well as the stations that 
transmit large frames. 
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Example 2 
Filter 1 has the same conditions as in Example 1. 


For filter 2, To and Average size are selected. The minimum 
frame size is 600; the maximum is a value that is greater than 
600 (for example, 1,000). 


The report generated by the LISTENRS report script contains 
no statistics because no station can meet the criteria defined by 
these filters. That is, no station can receive frames whose 
average size is 500 bytes or less and 600 bytes or more. 


Example 3 


For filter 1, Sort position is selected. The minimum and 
maximum values are 1 and 5, respectively. 


For filter 2, To and Errors are selected. The minimum and 
maximum numbers of errors are 100 and 500, respectively. 


The report generated by the LISTENRS report script would 
probably contain no statistics. If the statistics are sorted by the 
frames received by the stations, a station is displayed only if it 
is one of the top 5 stations that receive most traffic and it has 
transmitted between 100 and 500 frames with errors. 


Saving a Report Script 


PON 
SY 


When you finish editing a report script, you can save that script for 
future use. The original script you use as a basis is not changed; 
instead, you save the edited version under a new name. 


To save a report script: 


1. With the report script displayed, press F6 (Report Options), 
move to Save, and press Enter. 


2. In the dialog box that appears, type the report script name and 
press Enter. 


The monitor saves the report script and assigns it the extension 
SCR. The next time you try to load a report script, this script 
appears on the list of scripts available. 
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CHAPTER SEVEN: ESTABLISHING A BASELINE FOR YOUR NETWORK 


General 


Chapter 7. Establishing a Baseline for Your 


Network 


Chapter Overview 


Determining what is wrong with the network is much easier when 
you are familiar with typical network patterns before a problem 
occurs. Significant deviations from these patterns often indicate a 
problem. To decide whether such deviations exist, do the following: 


¢ Name the stations on the network. 


For further information on how to name stations, refer to 
Chapter 4, “Managing the Station Data Files.” 


* Become familiar with normal traffic patterns. 


This chapter describes the tests that produce results to be used as a 
baseline for your network. It does not, however, provide detailed 
interpretation of statistical displays and views generated by the 
monitor. This information is provided in Chapter 9, “The Monitor 
Menu Items.” 


The procedures in this chapter assume that you already know how to 
move through menus, select options, and define values. 


Gathering History Statistics 


AS 


NOY, 


KOS 


To establish a picture of typical network traffic patterns: 


1. Monitor all stations at 30-minute history intervals over a period 
of time, between one day to one week. 


Longer intervals like 30 minutes are often more meaningful 
because they reduce the effects of short-term fluctuations. 


2. Select Global history in the Display menu to look at the Global 
History Statistics view. The statistics allow you to analyze the 
network usage during various time periods. 


Alternatively, enable the Log to disk option in the History menu. The 
file HISTORY.LOG is created in the server’s C:\ENHIST directory, 
which stores the statistics in the Global History Statistics view. You 
can transfer the file to the console and then print it out. For more 
information on file transfer between the server and the console, refer 
to the Distributed Sniffer System: Installation and Operations Manual. 


It might be useful to log history statistics at different times of the year 
to discern network usage patterns. For example, you might want to 
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know whether network traffic is heavier toward the end of each fiscal 
quarter within your organization. 


KAS To display history statistics for a particular station: 


1. After monitoring the network over a period of time, select Stn 
in the History menu. 


2. From the station list, select a station for which history statistics 
will be displayed. 


3. Select Station history in the Display menu to look at the history 
statistics for the selected station. 


When you display a station’s history statistics, you can specify 
whether the statistics are compiled according to the amount of traffic 
received or transmitted by the station, or both. 


In most cases, use the Both option to show a more accurate picture of 
network activity. With this option, the monitor displays history 
statistics that reflect the traffic to and from the station. You can use 
this information to balance the load among network stations. 


The From option is useful when you display or sort by errors. It 
provides the most accurate picture of which stations are transmitting 
frames with errors. The To option might be useful for comparing the 
sizes of frames sent to the file servers to those transmitted by the file 
servers. 


KA To generate a history report for a particular station: 


To maintain a permanent record of the history statistics for a 
particular station, create a report script and generate a report for these 
statistics. 


For example, if ServerA generates the most traffic on the network, you 
might want to know its network usage at different times of the day 
over a period of time (for example, a week). To generate a history 
report for ServerA, follow these steps: 


1. Select Edit in the Report menu to display a blank report. 
2. Enter text that describes the content of the report. 


3. Insert fields such as the current time, frames from and to 
ServerA, absolute network usage, and frames with errors. 


4. Press F6 to display the edit options. 


5. Select Report settings to set Filter 1. Select Name to limit the 
report to ServerA. (That is, set both the minimum and 
maximum values of Name to “ServerA.”) Make sure that Filter 
2 is disabled. 


6. Select Save to save the script under a filename of your choice. 


ms 


Testing the Network Cable 


7. Select Auto print to print the report to a single file on the disk 
every hour. Set Start time to a time when you want the monitor 
to start printing the report. 


8. Enable the Restart monitor option so that the monitor starts a 
new monitoring session each time it prints the report to the 
disk. 


After monitoring the network for a week, print out the file that 
contains the report. The report consists of the hourly history statistics 
for ServerA in the past week. You can now see the traffic patterns of 
this server at different times of the day. 


Testing the Network Cable 


Before you start monitoring the network, make sure that the network 
hardware is working properly. If your server runs both the 
monitoring and analysis applications, use the Cable tester option on 
the analyzer to test the network cable. Refer to the Distributed Sniffer 
System: Analyzer Operations Manual for more information on this 
option. If your server runs the monitoring application only, use the 
monitor’s Cable tester option. 


The cable test sends a signal to the network segment being monitored. 
Then it listens for the return signal. Although the results may not be 
conclusive, the test alerts you to cable problems. 


To run the cable test: 
1. Start a monitoring session if you have not done so. 
2. Move to Cable tester in the Main Menu and press Enter. 
If the test detects no problems, the following message appears: 
No cable problems found. 
Otherwise, one of the following messages appears: 


Cable short detected. 
Cable open detected. 
Transceiver problem detected. 


If there is a cable problem, check to make sure that the cable is 
securely attached to the Monitor Card in the server and to the network 
segment that the server monitors. Refer to the Distributed Sniffer 
System: Installation and Operations Manual for information on cable 
connections. You can also use a hardware cable tester to pinpoint the 
cause of the problem, or try another network cable to see if the 
problem persists. 
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Protocol-Specific Station Tests 


It is useful to test protocols to which each station responds so that 
when connectivity problems occur in the future, you know which 
station normally responds to a particular type of test frame. 


KA To perform a protocol-specific station test: 
1. Select Station test. 
2. Choose a station from the station list. 


3. Select the protocol with which you want to test the selected 
station. The available protocols are IEEE 802.2, XNS Echo, DIX 
LOOP, NetWare, and NetBIOS. (The NetWare and NetBIOS 
options are available only if the server uses the IPX protocol.) 


The monitor displays a message indicating whether the station 
responded. If you started a NetBIOS station test and the station 
responded, the Network Adapter Status screen appears. An 
example of this screen is shown in Figure 7-1. 


4. Record the test result. 


Network Adapter Status 


Station Address: ®2Q70103A6DC Version: @x@021 Minutes Active: 
Traffic Statistics Station Resources 


CRC Errors Free Command Blocks 
Alignment Errors Max. Free Command Blocks 
Resource Exhaustions Max. Configured NCB 
Successful Receives Pending Sessions 
Collisions Max. Pending Sessions 
Aborted Transmissions Max. Sessions 
Retransmissions Max. Data Packet Size 
Successful Transmits Number of Local Names 


Name Table 


Press ESC to stop 


Figure 7-1. Sample Network Adapter Status screen. 


= 


Examining Typical Frame Size Distributions 


Examining Typical Frame Size Distributions 


It is useful to know the typical frame size patterns on the network. 
Suppose a majority of the frames on your network typically fall in the 
range between 61 and 128 bytes. After you installed a new network 
application (for example, a file transfer program), most frames now 
fall in the range between 513 and 1,024 bytes. This change indicates 
that the introduction of the program had an impact on network traffic. 
This information can help you decide whether modification of the 
network configuration is required. 


To examine the frame size distribution, monitor the network over a 
period of time. Then select Frame sizes in the Display menu to look at 
the Frame Size view. If you want to look at the frame size distribution 
over a period of time, generate reports based on FRAMSIZE.SCR 


regularly. 
If you want to know the average frame size for each station, select All 


stations in the Display menu. Specify that the statistics be sorted by 
the average frame size. 
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Chapter 8. The Monitor Data Files 


Chapter Overview 


Data Files 


STARTUP.ENA 


This chapter describes data files on the Sniffer server that are used by 
the monitor. Some of the files are shipped with the product; some are 
created when you execute particular commands in the monitor's 
menus. This chapter, however, does not describe those files that are 
used exclusively for the operation of the monitor and that you would 
not typically view in DOS. 


The following list shows the different directories that contain the data 
files: 


C:\ENSNIFF STARTUP.ENA 
STARTUP.END 
STARTUP.ENI 
STARTUP.ENT 
C:\ENALARMS ALARM.LOG 
C:\ENHIST HISTORY.LOG 
HISTORY.CSV 
C:\ENREPORT Tae, 


C:\ENREPORT\SCRIPTS “CK 


The monitor creates duplicates of the STARTUP.ENA and 
STARTUP.END files when you change these files for the first time 
after starting the monitor. The duplicates are called BACKUP.ENA 
and BACKUP.END, respectively. As a result, you can return to the 
previous versions of the data files. 


The STARTUP.END and STARTUP.ENI files are also used by the 
analyzer if it is available on the server. 


File type: ASCII. 


Content: Station addresses and alarm thresholds. This file is not 
shipped with the monitor; instead, it is created during 
the first monitoring session, when the monitor adds 
any named stations to this file and assigns them the 
default alarm thresholds. 
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STARTUP.END 


> 


STARTUP.ENI 


The following is an example of an entry: 
station 090014000101 alarms (usage 20%, badpkts 5, 
idle 1 mins, norsp 7 secs, priority 1) 

Read: When you start a monitoring session. 


Written: When you exit the Manage Station Information view 
after making changes. 


File type: ASCII. 


Content: Station names and addresses. You can enter station 
names automatically (if you use NetBIOS), with the 
Manage Stations Information view, or with a text 
editor. 


The following is an example of an entry: 
station “DEC_Netbios” = 09002B000007 


Read: When you start a monitoring session. It is also read by 
the Sniffer analyzer if you use the analysis function. 


Written: When you use the Probe for names function to add 
station names. 


When you exit the Manage Station Information view 
after editing names. 


When you edit the file with a text editor. 


You cannot delete the broadcast address, ffffffffffff, from this file. You 
can, however, change the name for this address. The default name is 
Broadcast. 


File type: ASCII. 


Content: Vendor addresses, each of which makes up the first six 
hexadecimal numbers of a station’s address. The 
monitor is shipped with a set of addresses in 
STARTUP.ENI. The following is an example of an 
entry: 


manuf “IntrIn” = 020701 
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STARTUP.ENT 


STARTUP.ENT 


ALARM.LOG 


Read: 


Written: 


File type: 


Content: 


Read: 
Written: 


File type: 


Content: 
Read: 
Written: 


If a monitor display includes the station whose 
address is, for example, 02070102A939, the monitor 
displays “IntrlIn02A939” instead of the 12 hexadecimal 
digits. 

The maximum number of entries is 225. 


When you start the monitor. It is also read by the 
analyzer if you use its analysis function. 


When you save changes made with a text editor. (The 
monitor does not automatically change this file.) 


ASCII. 


Ethertype values in hexadecimal numbers. The 
monitor is shipped with default Ethertype values in 
STARTUP.ENT. You can assign multiple values to an 
Ethertype. The following is an example showing two 
different values assigned to the same Ethertype: 


ethertype “AT&T” = 8046 
ethertype “AT&T” = 8047 


The maximum number of entries is 32; the maximum 
number of Ethertypes is 16. 


When you start the monitor. 


When you save changes made with a text editor. (The 
monitor does not automatically change this file.) 


ASCII. 
Alarms in the monitor's alarm buffer. 
When you use a word processor to read the file. 


The monitor saves alarms from the alarm buffer to the 
file if you enable the File option in the Alarm\Log to 
menu is enabled. 
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HISTORY.LOG and HISTORY.CSV 


*,.CSV and *.RPT 


The monitor saves history statistics to C:\ ENHIST \HISTORY.LOG if 
you do not specify the delimited (spreadsheet-compatible) format; it 
saves the statistics to C:\ENHIST\HISTORY.CSV if you choose the 
delimited format. 


File type: ASCII. 

Content: Global history statistics. 

Read: When you use a text editor to read the file. 

Written: The monitor saves global history statistics regularly to 


the file if you enable the Log to disk option in the 
History menu. 


The *.CSV and *.RPT files are reports stored in the C:\ENREPORT 
directory. Figure 8-1 lists the different forms of filenames. 


Report Format Generated Generated 
Automatically Manually 
Delimited ARYYMMDD.CSV or | FILENAME.CSV 
YYMMDDNN.CSV 
Normal ARYYMMDD.RPT or | FILENAME.RPT 
YYMMDDNN.RPT 


Figure 8-1. Filenames in the C:\ ENREPORT directory. 


You specify FILENAME when you manually generate the report. If 
the monitor generates the report automatically, the filename indicates 
the file creation date. 


File type: ASCII. 

Content: The report generated. 

Read: When you use a text editor to open it. 

Written: When a report is automatically or manually 
generated. 
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*SCR 


*SCR 


There are several report script files under the 
C:\ENREPORT\SCRIPTS directory (for example, HISTORY.SCR, 
ERRORS.SCR). 


File type: Binary. 

Content: Report script that the monitor uses as a template when 
generating a report. 

Read: When you choose Load in the Report menu. 

Written: When you choose Save in the Report menu. 


as 
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Chapter 9. The Monitor Menu Items 


Chapter Overview 


Cable Tester 


Station Test 


Options 


This chapter describes each menu item in the order it appears in the 
monitor’s Main Menu, along with any associated options. For options 
that display additional information, such as the Global Statistics view 
associated with the Display option, there is also an explanation of 
each item in the view. 


This chapter does not discuss the use of function keys in each view 
(for example, F9 for freezing the screen). It assumes that you have 
learned how to use the function keys from the previous chapters. 


This menu item is available only on servers that run the monitor but 
not the analyzer. 


Cable tester determines whether the network cable and transceiver 
are working properly for the server to communicate with the network 
segment being monitored. You must start a monitoring session before 
initiating a cable test. Refer to “Testing the Network Cable” on page 
7-5 for further information on starting the test. 


Tests for station response, using the protocols listed below. 


If the station responds to a NetBIOS test frame, the Network Adapter 
Status screen appears. Refer to Figure 7-1 for an example. 


If you use other protocols, the monitor displays a message similar to 
the following to indicate that the station responded: 


File Server responded. 


To= Displays the name or address of the station to be 
tested. If you press Enter after selecting this option, a 
list appears. Choose the station you want to test. To 
move through the list quickly, type the first character 
of the station’s name. 


IEEE 802.2 Sends an 802.2 test frame. 
XNS Echo Sends an XNS Echo frame. 
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> 


Monitor Filters 


Options 


History 


DIX LOOP _ Sends an Ethernet V2 Loopback frame. 


NetWare Performs a NetWare configuration request command. 
This option appears only on a server that is equipped 
with the IPX protocol stack. 


NetBIOS Performs a NetBIOS remote status request command. 
This option appears only on a server that is equipped 
with the IPX protocol stack. 


You must start a monitoring session before using an IEEE 802.2, XNS 
Echo, or DIX LOOP station test. 


Determines which stations are to be monitored. You can change the 
setting of Monitor filters only when the monitor is not monitoring. 


Allstations Monitors all stations. 


Stn = Displays the name or address of the station to be 
monitored. If you press Enter when this option is 
selected, a station list appears. Choose the station you 
want to monitor. To move through the list quickly, 
type the first character of the station’s name. 


By default, Monitor filters is set to All stations. 


Specifies the history interval and designates a station for which 
history statistics are collected. The history interval determines how 
often the monitor records history statistics. The total number of 
intervals is 1,750. 


Changing the setting of a History option erases any previous history 
statistics in memory. To save them, generate a report or log history 
statistics to disk. 


Options 
Stn Displays the name of a station for which the monitor 
collects statistics. If you press Enter when this option 
is selected, a station list appears for you to choose a 
station. To move through the list quickly, type the first 
character of the station’s name. 
9-4 


History 


Intrvl Specifies the length of a time interval during which the 
monitor accumulates statistics. It also affects when the 
monitor starts collecting history statistics, as 
explained in Figure 9-1. 


To specify the value, press Enter to display a dialog 
box. Specify the time in the hh:mm:ss format. The value 
can range from 5 seconds to 24 hours. 


Align history Ifitis not selected, the monitor starts collecting history 
statistics immediately. 


If it is selected, the monitor starts collecting history 
statistics on the next interval boundary. For example, 
if you set Intrvl to 10 minutes and the current time is 
02:21:00, the monitor starts collecting statistics at 
02:30:00. Figure 9-1 describes how the value of Intrvl 
affects the time the monitor starts history statistics 


collection. 
If Intrvl is set to... | History statistics collection starts at... 


Any number of hours | Beginning of the next hour. 
(for example, 1, 2) 


5, 10, 15, 20, or 30 Next specified boundary. For example, if 
minutes the current time is 05:13:00 and you set 

Intrvl to 30 minutes, statistics collection 
starts at 05:30:00. 


Beginning of the next minute. For 
example, if the current time is 05:13:00 

and you set Intrvl to 2 minutes, statistics 
collection starts at 05:14:00. 


Any number of minutes 
other than the ones 
described above 


5,10, 15, 20, or 30 
seconds 


Next specified boundary. For example, if 
the current time is 05:13:25, and you set 
Intrvl to 15 seconds, statistics collection 
starts at 05:13:30. 


Immediately. 


Figure 9-1. Relationship between Intrvl and history alignment. 


Any value other than 
the ones described 
above 
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Display 


Log to disk 


When selected, this option writes global history 
statistics at each history interval to a file on disk 
named HISTORY.LOG, which is in the C:\ENHIST 
directory. At midnight, this file is renamed to 
GHYYMMDD.LOG (YYMMDD represents the year, 
month, and day). The monitor then clears the contents 
of HISTORY.LOG so that it can store to this file the 
history statistics for the next day. (If the file is in 
delimited format, the file extension is CSV instead of 
LOG.) 


When Delimited format is selected, the file’s format is 
compatible with spreadsheet applications. That is, 
embedded commas within numbers are eliminated, 
and the fields are separated from each other by 
commas. The name of the file is HISTORY.CSV. 


Both HISTORY.LOG and HISTORY.CSV contain the 
same information as shown in the numeric Global 
History Statistics view. 


By default, Stn is set to Broadcast and Intrvl to 00:15:00. Align history 
is selected, but Log to disk is not. 


Display generates a variety of screens containing network statistics. 
Each display is called a “view.” The exact information in each view 
depends on the options you choose. All views include the current date 
and time in the upper-right corner of the screen. 


Options 

The following is a list of options for Display, which allow you to 

specify the type of view to be generated: 

Global statistics Displays traffic statistics for the network as 
a whole. 

Single station Displays traffic statistics for a specific 
station. 

All stations Displays selected statistics, sorted 
according to your specifications, for all 
stations. 

Frame sizes Displays a distribution of frame sizes. 

Ethertype protocol Displays the number of frames or bytes for 
each protocol type as indicated by the 
Ethertype field in a frame. 
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(axes) 


Display 


Alarm log Displays a list of alarms generated in the 
current monitoring session that have not 
been cleared. 


Global history Displays a history of activity for the entire 
network. 

Station history Displays a history of activity for a specific 
station. 


Except for Frame sizes and Alarm log, you can determine how these 
options display the statistics (for example, in numeric or graphic 
format). The following subsections describe the views generated by 
these options. 


The Class option specifies whether the statistics in a view are based 
on the frames sent to the station, from the station, or both. This option 
applies when you display a single station (in the graphic format), all 
stations, or station history. 


The Network Usage option specifies whether the statistics are 
absolute (a portion of the total network capacity) or relative (a portion 
of the total network traffic). This option applies when you display a 
single station, all stations, or station history. 


Display Global Statistics 


Options 


The Global Statistics view provides a high-level view of network 
activity for all stations for the current monitoring session. 


Numeric Displays global statistics as columns of numbers, 
including updated traffic counts, error counts, and 
timestamps. Numeric is the default setting. 


Graphic Displays traffic counts in the top portion and a graph 
of absolute network usage over a 60-second period in 
the bottom portion. 


Global Statistics in Numeric Format 


Figure 9-2 is an example of a Global Statistics view in the numeric 
format. 
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LOBAL STATISTICS ar 21 11:16:45, 


Traffic Counts 


Total Stations 26 Active Stations 
Average Usage §.01 % Current Usage 
Total Frames 3,332 Current Frames 
Total Bytes 1,825, 486 Current Bytes 
Avg Frame Size 327 Avg Frame Size 


Error Counts Timestamps 


Runt Frames Monitor Started Mar 2@ 17:43:59 

Alignment Errors Monitor Active § day(s) 17:32:46 

CRC Errors 

Total Frame Errors First Activity Mar 2@ 17:44:14 
Last Activity Mar 21 11:16:38 

Unsaved Frames Network Active § day(s) 17:32:27 


Missed Frames 
5 6Disply SFreeze™ii® Stop 
Menus fifoption: idisplau™imonitor 


Total Lost Frames 
Figure 9-2. Global statistics (numeric view). 


Traffic Counts 
The Traffic Counts column is divided into two parts. 
The following list explains the terms in the left column. All the 


statistics in this column have been accumulated since the current 
monitoring session started. 


Total Stations Number of stations that have transmitted frames 
in the current monitoring session. 


Average Usage Average utilization of the network’s capacity. 
Total Frames Total number of frames transmitted. 

Total Bytes Total number of bytes transmitted. 

Avg Frame Size Average size of transmitted frames (that is, total 


bytes divided by total frames). 


The following list explains the terms in the right column. All the 
statistics in this column pertain to the last second: 


Active Stations Number of stations that have transmitted frames. 
Current Usage Utilization of the network’s capacity. 

Current Frames Number of frames transmitted. 

Current Bytes Number of bytes transmitted. 


a 


Display 


Avg Frame Size 


Error Counts 


Average size of transmitted frames (that is, 
current bytes divided by current frames). 


The Error Counts column displays the number of frames with errors 
and the number of frames not examined by the monitor. The 
following list explains the terms in the Error Counts column: 


Runt Frames 


Alignment Errors 


CRC Errors 


Total Frame Errors 


Unsaved Frames 


Missed Frames 


Total Lost Frames 


Number of badly formatted frame fragments, 
which are shorter than the minimum frame size. 
For more information on runts, refer to the 
Distributed Sniffer System: Network and Protocol 
Reference. 


Number of frames whose length is not a multiple 
of 8 bits and hence cannot be unambiguously 
resolved into bytes. 


Number of frames with CRC (cyclic redundancy 
check) errors. 


Total number of frames with errors. 


Number of frames the monitor could not save to 
memory. 


Number of frames the monitor could not 
examine. The monitor starts to miss frames when 
the network’s data rate is greater than 
approximately 8,000 frames per second. 


Total number of frames the monitor did not 
examine. 


The statistics in the Traffic Counts column do not include the missed 
frames and unsaved frames. 


Timestamps 
Monitor Started 


Monitor Active 
First Activity 
Last Activity 


Network Active 


Date and time the current monitoring session 
started. 


Length of the current monitoring session. 
Date and time the first frame was transmitted. 


Date and time the most recent frame was 
transmitted. 


Amount of time between the first and most 
recent frames transmitted. 
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Global Statistics in Graphic Format 


Recommendations 


Figure 9-3 is an example of a Global Statistics view in the graphic 
format. 


LOBAL STATISTIC 
Traffic Counts 


Total Stations 26 Active Stations 
Average Usage 9.07 % Current Usage 
Total Frames 22,087 Current Frames 
Total Bytes 5, 808, 297 Current Bytes 
Avg Frame Size 262 Avg Frame Size 


49 30 
Seconds 


9 6Displyg/? Scale—i8 Scale§9Freeze™fi@ Stop 
Menus fifoptions™ up down fidisplausimonitor 


Figure 9-3. Global statistics (graphic view). 


The top portion of the view displays traffic counts identical to those in 
the numeric view. The graph in the bottom portion shows absolute 
network usage (in percentage) over a 60-second period. The graph 
updates at one-second intervals, moving across the view from right to 
left. The current time and date display in the upper-right corner of the 
view. 


The monitor can display accurate statistics up to certain values. It 
displays “Ovrflw” instead of the numeric value when a statistic has 
exceeded the maximum value. 


The maximum value of Total Frames is 4,294,967,295; the maximum 
value of Total Bytes is 999,999,999,999. The maximum value of each 
type of error counts is 65,535. Reset the monitor immediately after 
“Ovrflw” appears so that you can examine accurate statistics in the 
Global Statistics view for the current session. 


Display 


Display Single Station 


This view provides a high-level view of current activity for a selected 
station. 


Options 


Stn 


Numeric 


Graphic 


The name of the station for which the monitor 
displays statistics. If you press Enter after selecting 
this option, a station list appears. Choose a station 


from the list. 


Displays traffic statistics for the selected station as 


columns of numbers, including transmissions, 
receptions, and both (Figure 9-4). 


Displays traffic statistics for transmissions, receptions, 


or both, depending on the Class option you choose. 
The graph in the bottom portion shows either absolute 
or relative network usage by the station over a 60- 
second period (Figure 9-5). 


Single Station Statistics in Numeric Format 


Figure 9-4 is an example of the display for a single station. 


ABSOLUTE TRAFFIC STATISTICS-SINGLE STATION——————————ctt. 82 17:22:57. 


Station: File Server 


Last sent to: Alex Zwick 


Last rcv from: Ken Quinn 


Traffic FROM Station 


Current Usage ad 
Average Usage 1.5 
Total Frames 64,405 
Total Errors 24 
Total Bytes 8,250,712 
Avg Frame Size 128 
Start Time Oct @2 17:04:45 
End Time Oct 02 17:22:57 
Elapsed @ day(s) 00:18:12 


0% Current Usage 
Q % 


Traffic TO and FROM Station 
Current Usage 5. 
Average Usage 6.53 % 
Total Frames 138,827 
Total Errors 24 
Total Bytes 35,697,892 

Avg Frame Size 


Traffic TO Station 


Average Usage ‘ 
Total Frames 65,62 

Total Errors g 
Total Bytes 27,447, 188 
Avg Frame Size 418 
Start Time Oct 82 17:04:45 
End Time Oct @2 17:22:57 
Elapsed @ day(s) 00:18:12 


D 6Disply SFreeze@i® Stop 
Menus fioptions displayfimonitor 


Figure 9-4. Traffic statistics for a single station (numeric view). 


The top portion shows traffic counts for both transmissions and 
receptions for a selected station. The lower-left portion shows counts 


General 
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for transmissions; the lower-right portion shows counts for 


receptions. 


The left column in the top portion displays the following types of 


general information: 


Station Address or name of the station for which statistics 
appear. 


Last sentto | Address or name of the station to which the most 
recent frame was transmitted. 


Last rev from Address or name of the station from which the most 
recent frame was received. 


Traffic TO and FROM Station 


Current Usage 


Average Usage 


Total Frames 


Total Errors 
Total Bytes 


Avg Frame Size 


FROM Station 


Current Usage 
Average Usage 


Total Frames 
Total Errors 
Total Bytes 
Avg Frame Size 
Start Time 


End Time 


Elapsed 


Percentage of utilization in the last second for 
both transmissions and receptions. 


Average percentage of utilization for both 
transmissions and receptions in this monitoring 
session. 


Total number of frames transmitted and 
received. 


Total number of frames with errors. 
Total number of bytes transmitted and received. 


Average size of frames transmitted and received. 


Percentage of network utilization for 
transmissions in the last second. 


Average percentage of utilization for 
transmissions in this monitoring session. 


Total number of frames transmitted. 

Total number of frames with errors transmitted. 
Total number of bytes transmitted. 

Average size of frames transmitted. 

Date and time the first frame was transmitted. 


Date and time the most recent frame was 
transmitted. 


Amount of time between the transmission of the 
first and most recent frames. 


Network 
General 


Display 


TO Station 


Current Usage 
Average Usage 


Total Frames 
Total Errors 
Total Bytes 
Avg Frame Size 
Start Time 


End Time 


Elapsed 


Percentage of utilization for receptions in the last 
second. 


Average percentage of utilization for receptions 
in this monitoring session. 


Total number of frames received. 

Total number of frames with errors received. 
Total number of bytes received. 

Average size of frames received. 

Date and time the first frame was received. 


Date and time the most recent frame was 
received. 


Amount of time between the first and most 
recent frames received. 


Single Station Statistics in Graphic Format 


Figure 9-5 is an example of the display for a single station in the 


graphic format. 


ABSOLUTE TRAFFIC STATISTICS-SINGLE STATION—————Oct. 82 17:31:24 


Traffic TO and FROM Station 


Station: File Server Current Usage 27.61 % 


Average Usage 6.58 % 
Total Frames 195, 386 
i) 


Last sent to: Jill Franz Total Errors 
Last rev from: Barney Ingram Total Bytes 52,647,364 


Avg Frame Size 


49 32 
Seconds 


5 6Displygi/ Scale—i8 Scale—9FreezefiO Stop 
Menus foptions™ up down fidisplauf—imonitor| 


Figure 9-5. Traffic statistics for a single station (graphic view). 


The statistics in the top portion of the graphic view are similar to those 
displayed in the top portion of the numeric view. However, they do 
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Recommendations 


not always describe the traffic both to and from the station; the 
statistics displayed depend on the Class option you choose. 


For example, if you choose To for the Class option, the display does 
not include the address or name of the station to which the most 
recent frame was transmitted (the “Last sent to” field). 


The graph in the bottom portion of the Single Station view (Figure 9- 
5) shows either absolute or relative network usage (in percentage) by 
the station over a 60-second period. The graph updates at one-second 
intervals, moving across the view from right to left. 


If you select Both for the Class option, a bar in the graph representing 
both reception and transmission statistics is made up of two portions. 
The upper portion represents the reception statistics; the lower 
portion represents the transmission statistics. A color monitor 
displays reception statistics in yellow and transmission statistics in 
blue. 


As with the global statistics, the monitor can display accurate statistics 
for a single station up to certain values. If a statistic for both reception 
and transmission exceeds the maximum value, the monitor displays 
“Ovrflw” instead of the numeric value. For example, if Total Frames 
in the Traffic TO and FROM Station column exceeds 4,294,967,295, 
“Ovrflw” appears. 


However, if the number of the transmitted frames or received frames 
exceeds the maximum value, the monitor does not display “Ovrflw.” 
In this case, the numeric value displayed is still inaccurate. 


If you display the numeric view, reset the monitor once “Ovrflw” is 
displayed. If you display the graphic view for transmission or 
reception traffic only, there is no warning about the overflow of the 
frame counts. In this case, it is important that you reset the monitor 
once “Ovrflw” is displayed for Total Frames in the Global Statistics 
view. When Total Frames overflows, it is possible that the frame 
counts for one or more stations are inaccurate. 
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General 


Display 


Display All Stations 


Options 


This view shows statistics for each station across the network, sorted 
according to your specification. 


Numeric 


Graphic 


Sort by 


Displays statistics as columns of numbers, for up 
to 20 stations at a time. You can choose which 
statistics to display (see “ All Stations Statistics in 
Numeric Format” on page 9-16), how to display 
them, and how to sort them. 


Displays a graph and lists 10 stations at a time. 
Refer to “All Statistics in Graphic Format” later 
in this section for a description of the view.) 


Specifies the order in which the statistics are 
arranged and the key by which the statistics are 
sorted. The options available are described 
below: 


Ascending displays statistics from the lowest to 
the highest, as defined by the sort key. 


Descending displays statistics from the highest 
to the lowest, as defined by the sort key. 


Name sorts the stations by their names. 


Partner's name sorts the stations by the names of 
their partners. A station’s partner is the last 
station it communicated with. 


Frames sorts the stations by the number of 
frames transmitted, received, or both. 


Errors sorts the stations by the number of frames 
with errors. 


Bytes sorts the stations by the total number of 
bytes transmitted, received, or both. 


Average size sorts the stations by the average 
size of frames transmitted, received, or both. 


Network usage sorts the stations by their 
network usage. The usage percentage might fall 
in the range between 100 and 200 if the class of 
traffic is Both because the monitor counts each 
frame for its source and destination. 


First activity sorts the stations by the date and 
time that the first frame was transmitted or 
received. 
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Last activity sorts the stations by the date and 
time that the most recent frame was transmitted 
or received. 


Elapsed activity sorts the stations by the amount 
of time between the first and last activity. 


Active stns only _ Displays only stations that have sent or received 
traffic since the beginning of the current 
monitoring session. 


All Stations Statistics in Numeric Format 


The numeric view always includes the station names. Other types of 
statistics that can be included are: Partner’s name, Frames, Errors, 
Bytes, Average size, Network usage, First activity, Last activity, and 
Elapsed activity. 


For definitions of these terms, refer to the description of Sort by 
earlier in this section. 


Figure 9-6 is an example of a numeric view showing the statistics for 
all stations. 


ABSOLUTE TRAFFIC STATISTICS TO AND FROM STATIONSN————————Oct. #2 17:42:17 
Station Frames Errs Bytes Size Usage 
1 File Server 276 , 809 g 73,432,466 266 6.51 
2 Print Server 194,191 g 45,529,139 238 4.93 
3 Denise Martin 19,582 g 18,611,113 919 4.59 
4 Mark Ellison 19,804 4 15,513,678 783 1.37 
5 Ed Hicks 19,389 2 15,013,438 774 1.33 
6 Linus Stanwick 19,206 3 14,282,561 743 1.26 
7 Steven Anderson 19,264 Q 9,882,593 588  §.87 
8 William Griffith 19,582 8 6,804,908 347 8.60 
9 Tom Brown 19,623 g 6,011,525 306 9.53 
18 Michael Harley 19,889 3 4,914,731 248 6.43 
11 Miles Russell 19,575 6 2,748,389 140 6.24 
12 Barbara Lemmon 19,565 9 2,707,797 138 6.24 
13 Bill Goodman 19,649 g 2,529,836 128 6.22 
14 Barney Ingram 28,025 g 2,220,957 118 6.19 
15 Ken Quinn 19,281 2 2,228,098 115 6.19 
16 Alex Zwick 19,715 g 1,982,862 106 8.17 M 
17 Helene Milici 19,558 6 1,947,278 99 17 o 
18 George Stanley 19,984 8 1,796,588 8 15 r 
19 Jill Franz 28, 066 2 1,725,088 85 15 e 
Robert Hayes 19,695 2 1,441,699 73 12 4 


3 Prev—ld Nextii> 6Disply 9Freeze—fi® Stop 
stationfistationl§ Menus foptions| displayfimonitor| 


Figure 9-6. Statistics for all stations (numeric format). 


All Stations Statistics in Graphic Format 


The categories of statistics in the graphic view cannot be changed. For 
example, you cannot display the names of the stations’ partners. 
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Display 


The bottom portion displays absolute or relative network usage (in 
percentage) for up to 10 stations at a time, sorted by the key you 
selected. 


The top portion shows statistics for the displayed stations as a graph, 
with transmissions, receptions, and both counts appearing in 
different colors or intensities. 


Figure 9-7 is an example of a graphic view showing the statistics for 
all stations. 


RELATIVE TRAFFIC STATISTICS TO AND FROM STATIONS————————Oct. 82 18:82:35, 
10 pAdAAAA~Ad— ddA dA—AA——— AAA — AA 


5 6 7 


4 
Legend: TO FROM BOTH 


File Server : 6 Linus Stanwick 
Print Server : 7 Steven Anderson 
Denise Martin : 8 William Griffith 
Mark Ellison . 9 Tom Brown 

Ed Hicks ‘ 19 Michael Harley 


lore 
il 3 Prevld Nextfis 6Disply—i? Scale—i8 Scalefi9Freeze—ii@ Stop 
Help stationfistation§| Menus ffoptions™ up down fidisplayfimonitor 


Figure 9-7. Statistics for all stations (graphic format). 


Display Frame Sizes 


Shows how many frames fall into each predefined size category and 
what percentage of frames each size category comprises. Figure 9-8 is 
an example of the Frame Sizes view. 
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FRAME S$1Z2ES—-——_______Oct. 82 18:08:58 


Frames Percent @ 20 40 62 34) 120 


g 2.00 
152 3.69 |= 


{i1 2.63 |= 
139 318 


g 2.28 
g 6.20 
Over 1514 0.20 


D 6Disply 9Freeze—il@| Stop 
Menus fifoption displayfimonitor 


Figure 9-8. Frame sizes view. 


Size Displays the size categories (in bytes) used to classify 
the frames. The minimum frame size is 60. The first 
size category is “ Under 60”, which counts the number 
of fragments that are smaller than the minimum size. 


Frames Displays the total number of frames for each size 
category. 
Percent Displays the percentage of frames for each size 


category. The graph illustrates these percentages. 


Display Ethertype Protocol 


Shows the percentages of frames or bytes according to the value in 
each frame’s Ethertype field. The options Bytes and Frames 
determine whether the statistics are displayed in bytes or frames. The 
monitor reads the STARTUP.ENT file for the EtherType values. 


Figure 9-11 is an example of the Protocol Types (Ethertypes) view. 


Display 


g 
128 , 303,628 
12,728 


2,757, 687 ,945 
579,112 


5 Pmbdisply Freezefl0 Stop 
Menus fifoption' displayfimonitor} 


Figure 9-9. Protocol Types (Ethertypes) view. 


The following explains the terms used in the display: 


Ethertype Protocol type to which the frame being counted 
belongs. 


Bytes / Frames Number of bytes or frames that fall into a 
particular protocol category. 


% Total Percentage of frames or bytes of a particular 
protocol type. The graph illustrates these 
percentages. 


You are allowed to specify multiple values for a protocol type. For 
example, STARTUP.ENT can contain the following entries: 


ethertype “AT&T” = 8046 
ethertype “AT&T” = 8047 


In the Protocol Types view, there is one entry for AT&T. The count 
under this entry includes all the frames whose Ethertype value is 8046 
or 8047. 
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Display Alarm Log 


Lists up to 200 alarms generated in the current monitoring session that 
have not been cleared. From the Alarm Log view, you can 
acknowledge an alarm by pressing F3 or clear it by pressing F4. 


Figure 9-10 is an example of the Alarm Log view. 


Critical 
Warning 
Warning 
Warning 
Critical 
Warning 
Minor 
Warning 
Major 
Major 
Minor 
Warning 


i 
Help 


15:58:15 
15:58:17 
15:51:04 
15:51:45 
16:02:18 
16:89:19 
16:15:59 
16:17:23 
16:17:54 
16:28:17 
16:23:16 
16:23:34 
16:24:24 
16:24:38 
16:29:58 
16:31:16 


Global Network 
even Anderson 
Denise Martin 
Mark Ellison 
Barbara Lemmon 
George Stanley 
File Server 
Anthony Serrao 
Jill Franz 
Robert Hayes 
Print Server 
Ken Quinn 
Alex Zwick 
Linus Stanwick 
Miles Russell 
James Wylie 
Jack Clayton 
Fred Biddle 


3 Ack $4Clear 5 6Disply 
alarm § alarm § Menus foption: 


Figure 9-10. Alarm Log view. 


el usage exceeded 
Rel usage exceeded 12% 
Rel usage exceeded 5% 
No response 1 second 
No response 1 second 
No response 1 second 
No response 1 second 
No response 1 second 
No response 1 second 
Rel usage exceeded 5% 
Rel usage exceeded 5% 
Rel usage exceeded 5% 
Rel usage exceeded 4% 
Rel usage exceeded 5% 
No response 1 second 
No response 1 second 
No response 1 second 


The following list explains the fields in the Alarm Log view: 


Priority 
Time 


Source 


Type/ Description 
Ack 


10 Stop 
monitor] 


Priority level of the network event that triggered 
the alarm. 


Time and date the event occurred. 


Name of the station that triggered the alarm. 
“Global Network” is displayed if the alarm is a 
global alarm. 


Type of event that triggered the alarm. 


Whether the alarm has been acknowledged 
(indicated by a V mark). 
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Display 


Display Global History 


Displays a history of activity for the entire network at intervals you 


determine. 

Options 
Numeric Displays history statistics as columns of numbers. 
Graphic Displays the usage of the network in a graph. 


Global History Statistics in Numeric Format 
Figure 9-11 is an example of the Global! History Statistics view. 


LOBAL HISTORY STATISTICS ct. 26 16:36:53 
Time Frames Errs Bytes Size %Usage 


21 Oct 26 16:36:43 17, 468 4,533, 409 
16:34:43 28,984 7,229,993 
16:32:43 24,326 5,747,665 
16:38:43 22,886 5,748,709 
16:28:43 24,973 6,687 , 986 
16:26:43 25,069 6,382,822 
16:24:43 26,788 6,407,011 
16:22:43 29,863 6,571,694 
16:20:43 25,359 6,205,828 
16:18:43 24,168 6,148,575 
16:16:43 26 , 289 6,781,864 
16:14:43 26, 366 6,715,119 
16:12:43 26, 969 6,152,979 
16:18:43 26, 091 6,511,299 
16:28:43 22,652 5,513,472 
16:06:43 26,378 6,595, 404 
16:04:43 24,485 6,895,834 
16:82:43 22,415 5,471,446 


Figure 9-11. Global history statistics (numeric format). 


The leftmost column of numbers identifies the interval number, with 
the most recently recorded interval at the top of the screen. 


The following list explains the various fields in the numeric Global 
History Statistics view: 


Time Date and time of each interval. The date is not 
displayed if it is the same as the one above it. 


Frames Number of frames recorded for each interval. 
Errs Number of frames with errors recorded for each 
interval. 
Bytes Number of bytes recorded for each interval. 
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Size Average size of the frames recorded for each interval. 
% Usage Absolute network usage (in percentage) for each 
interval. 


Global History Statistics in Graphic Format 


Figure 9-12 is an example of the graphic Global History Statistics 
view. 


LOBAL HISTORY STATISTICS-—-———————ctt. 26 16:38:18 
Time 4 8 12 16 20 


Oct 26 16:36:43 
16:34:43 
16:32:43 
16:30:43 
16:28:43 
16:26:43 
16:24:43 
16:22:43 
16:28:43 
16:18:43 
16:16:43 
16:14:43 
16:12:43 
16:10:43 
16:08:43 
16:06:43 
16:04:43 
16:22:43 


3 Viewed Views 6Displu—i/ Scale—i8 Scale} 18 Stop 
earlier laterf{ Menus foptions™ up down monitor 


Figure 9-12. Global history statistics (graphic format). 


The graphic view contains the history interval number, the time and 
the network usage. The graph illustrates the percentages of network 
usage. 


Display Station History 


Displays a history of activity for a selected station or address at 
intervals you determine. The title identifies the station as well as 
whether statistics represent transmissions, receptions, or both, and 
whether they show absolute or relative network usage. If you do not 
select a station, these statistics are collected for the default address 
(Broadcast). 
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Network 
General 


Display 


Options 
Numeric Displays station history statistics as columns of 
numbers. 
Graphic Displays station history statistics in a graph. 


Station History Statistics in Numeric Format 


Figure 9-13 is an example of the history statistics view for a station 
named “File Server” in numeric format. The statistics displayed in the 
view pertain to the traffic transmitted or received (or both) by the 
station, depending on the setting of the Class option in the Display 


menu. 


ABSOLUTE HISTORY STATISTICS TO AND FROM File Server-—————Oct 26 16:39:06 
Time Frames Errs Bytes Size %Usage 
22 = Oct 26 16:38:43 3,825 8 931,393 243 1.59 
21 16:36:43 19,513 3 2,962,108 281 5.05 
28 16:34:43 16,919 3 4,437,814 262 7.59 
19 16:32:43 14,263 3 3,201,848 224 5.58 
18 16:30: 43 13, 286 1 3,452,364 259 5.99 
17 16:28:43 14,555 B 4,179,546 287 7.13 
16 16:26:43 14,674 1 3,939,038 268 6.73 
15 16:24:43 15,689 5 3,772,781 248 6.47 
14 16:22:43 14,594 7 3,987,243 273 6.81 
13 16:28:43 14,588 1) 3,778,333 259 6.46 
12 16:18:43 14,238 3 3,814,111 268 6.52 
11 16:16:43 15,392 4 4,395,663 285 7.50 
18 16:14:43 15,524 8 4,036,815 268 6.90 
9 16:12:43 15,719 4 3,773,153 246 6.47 ¢ 
8 16:18:43 15,254 3 3,941,129 258 6.740 
7 16:88:43 13,172 1 3,478,488 263 5.93 r 
6 16:66:43 15,284 6 4,976,686 266 6.96 e 
5 16:64:43 14,325 4 3,718,778 259 6.35) 


3 Viewsd Views 6Disply 10 Stop 
earlier’ laterfj Menus option monitor} 
Figure 9-13. Station history statistics (numeric format). 


The leftmost column consists of the interval numbers, with the most 
recently recorded interval at the top of the column. 


Time Date and time of each interval. 

Frames Number of frames recorded for each interval. 

Errs Number of errors recorded for each interval. 

Bytes Number of bytes recorded for each interval. 

Size Average size of the frames recorded for each interval. 
% Usage Percentage of absolute or relative network usage for 


each interval. 
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Station History Statistics in Graphic Format 


Figure 9-14 is an example of the station history display for a station 
named “File Server” in graphic format. 


rABSOLUTE HISTORY STATISTICS TO AND FROM File Server-———————ct. 26 16:39:51 
Time sage & 2 4 6 8 16 


Oct 26 16:38:43 
16:36:43 
16:34:43 
16:32:43 
16:32:43 
16:28:43 
16:26:43 
16:24:43 
16:22:43 
16:28: 43 
16:18:43 
16:16:43 
16:14:43 
16:12:43 
16:19:43 
16:28:43 
16:06:43 
16:84:43 


il 3 Viewed Viewso 6Disply—i/ Scale—i8 Scale 16 Stop 
Help earlier latergj Menus foptions™ up down monitor 


Figure 9-14. History statistics for “File Server” (graphic format). 


The leftmost column consists of the interval numbers, with the most 
recently recorded interval at the top of the column. 


Time Date and time of each interval. 


vo Usage Percentage of absolute or relative network usage for 
each interval. The graph illustrates the percentages. 


Alarm 


Clears alarms from the alarm buffer automatically, sets alarm 
thresholds, and determines where to send the alarm log. 


Options 


Edit Displays the Manage Station Information view, in 
which you can edit station information. For further 
information on station information, refer to “Manage 
Stations” on page 9-34. 


et 


Alarm 


Auto clear 


Thresholds 


Sets an interval (1 minute to 99 hours) at which the 
monitor automatically clears each alarm to make room 
in the alarm buffer. To make sure alarms are not lost, 
use Log to for printing out the alarms or storing to 
disk. To turn Auto clear off, choose 0. The default 
value is 1 hour. The monitor can clear alarms 
automatically only when it runs in the foreground. 


Specifies alarm thresholds. There are two types of 
thresholds: Global and Station defaults. 


Global determines the types of network events that 
cause global alarms. Options for Global are described 
below: 


If Unknown station is selected, a station that has not 
been named triggers an alarm when it transmits 
frames. 


Specify other causes of alarms with the Errors, Usage, 
Broadcast, and Idle options. Except for the Idle 
option, you can define an interval (5 seconds to 60 
minutes) during which the monitor determines 
whether a threshold has been exceeded. After each 
interval, the count resets to 0. 


Errors defines the number (1 to 65,535) of frames with 
errors that triggers an alarm. The default number is 20; 
the default interval is 30 seconds. 


Usage defines the percentage (1 to 100%) of absolute 
network usage that triggers an alarm. The default 
percentage is 50%; the default interval is 5 seconds. 


Broadcast specifies the number of frames that can be 
sent to the broadcast address before the monitor 
generates an alarm. The default number is 100; the 
default interval is 5 seconds. 


Idle specifies the length of time (5 seconds to 1 hour) 
the network can be inactive before the monitor 
generates an alarm. The default length of time is 15 
minutes. 


Station defaults assigns the default threshold settings 
to new stations as they are detected on the network. 
The thresholds are described below: 


Errors defines the number (1 to 65,535) of frames with 
errors a station can transmit before triggering an 
alarm. The default number is 100. 
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Log to 


No response determines when the monitor generates 
a no-response alarm. The default setting of No 
response is Off. The monitor does not generate a no- 
response alarm each time the specified number of 
seconds has elapsed since a station received a frame. 
Instead, it makes sure that the station it generates the 
alarm for has been receiving but not transmitting. For 
example, if No response is 5 seconds, the monitor 
generates the alarm when either of the following 
conditions occurs: 


* A station’s last reception happened at least 5 
seconds after the last transmission, and it has 
received 3 frames since the last transmission. 


* A station’s last reception happened at least 5 
seconds after the last transmission, and 5 seconds 
have elapsed since the last reception. 


Idle defines the length of time (1 to 120 minutes) the 
station can go without transmitting before triggering 
an alarm. The default setting is Off. That is, the 
monitor does not generate an alarm regardless of how 
long a station has been idle. 


Usage defines the percentage of relative network 
traffic (1 to 100%) the station can generate before 
triggering an alarm. The default setting is Off. 


Priority defines the importance of alarms for a given 
station. The priority levels are Inform, Warning, 
Minor, Major, and Critical. The default value is 
Warning. 


Specifies where to send the alarm log. You can select 
either or both of the following: 


Printer, which sends the alarm log to the specified 
printer. 


Select the Device LPT1 option in the Alarm\Log 
to\Printer menu to print on the server's printer port; 
select the Device LPT2 option to redirect the 
printout to the console. Specify the number of lines 
(0 to 256) on each page with the Page size option. If 
you specify 0, no page break is inserted. The default 
page size is 58. 


* File, which sends the alarm log to a disk file 
(ALARM.LOG). 
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Report 


Report 


Options 


The Clear alarm file option in the Alarm \Log 
to\File menu determines whether the monitor 
appends the current alarm log to the previous log 
file or clears the log file each time it starts 
monitoring. A preceding V mark indicates that the 
file is cleared at the beginning of each monitoring 
session. 


Generates reports based on report scripts. You can print the resulting 
reports and save them as files, in either normal or delimited format. 
The Report Script Editor view lets you modify report scripts to 
customize reports to your needs. 


Load 


Loads an existing report script which you can use to 
generate a report or edit before generating a report. 
(The monitor looks for report scripts in the 
C:\ENREPORT\SCRIPTS directory). 


The monitor comes with the following report scripts: 


ERRORS.SCR provides statistics for the 10 stations 
that transmitted the most frames with errors during 
the most recent monitoring session. A station must 
have transmitted at least five frames with errors to be 
included in the report. 


ETYPES.SCR shows the protocol type distribution. 
The statistics provided include the number and 
percentage of frames for each protocol type. A graph 
illustrates the percentages. 


FRAMSIZE.SCR shows the frame size distribution. 
The statistics provided include the number and 
percentage of frames that fall in each frame size 
category. A graph illustrates the percentages. 


HISTORY.SCR shows the absolute network usage in 
percentages for all the history intervals. 


LISTENRS.SCR provides statistics for the 10 stations 
that received the most traffic during the most recent 
monitoring session. 


TALKERS.SCR provides statistics for the 10 stations 
that transmitted the most traffic during the most 
recent monitoring session. 
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Edit 


USERLIST.SCR lists the physical addresses and names 
of all stations, sorted in descending order by name. 


USERS.SCR provides transmit and receive statistics 
for all stations, sorted in ascending order by name. 


USERSCSV.SCR provide the same information as the 
USERS report, but in a delimited format that allows 
you to import the information into spreadsheets and 
other applications. 


(For more information on these reports, see “Sample 
Reports: An Overview” on page 6-3.) 


Displays Report Script Editor view, which contains 
the last report script loaded and the function keys with 
which you modify the script. Refer to “Report Script 
Editor View” on page 9-33 for further information on 
how to use the function keys. 


The Edit option also specifies how the statistics are 
sorted and what statistics are to be included in an 
existing report script. 


The following are the various options in the 
Report \Edit\Sort by menu that affect how a report 
sorts the statistics: 


To refers to the frames the station receives. 
From refers the frames the station sends. 


Both refers to the frames the station sends and 
receives. 


Note: The To, From, and Both options determine the 
type of traffic to which the sort key applies. Therefore, 
they do not affect how a report orders the stations if it 
sorts them by name or address. These options, 
however, determine whether a station is considered 
active. Refer to the description for Active stns only 
later in this section for information on including only 
active stations in a report. 


Ascending specifies that the stations be displayed in 
ascending order. 


Descending specifies that the stations be displayed in 
descending order. 


Name is the station’s name. 


Partner's name is the name of the station’s partner. A 
station’s partner is the station that it communicated 
with most recently. 
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Frames is the total number of frames. 

Errors is the total number of frames with errors. 
Bytes is the total number of bytes. 

Average size is the average frame size. 


Network usage is the percentage of network usage by 
the station. 


First activity is the time when the station first sends or 
receives traffic. 


Last activity is the time when the station last sends or 
receives traffic. 


Elapsed activity is the amount of time between the 
first and last activity. 


Address is the station’s address. 


The following describes the options that determine 
what types of statistics are to be included in a report: 


Active stns only specifies that a station is included in 
a report only if it has sent or received a frame, 
depending on how the stations are sorted. For 
example, if they are sorted by the frames received 
(when the To option in the Report \ Edit \Sort by menu 
is selected), a station is considered active if it has 
received traffic. 


Delimited format specifies that the report is in 
spreadsheet-compatible format. A report in this 
format does not include embedded commas in 
numbers. Also, when you print out the report, the 
monitor does not insert any page breaks. 


Filter 1 and Filter 2 determine whether the monitor 
uses filters to exclude stations from a report if they do 
not meet certain criteria. How the filters interact with 
each other depends on the AND and OR options. If 
AND is selected, the monitor includes only the 
stations fulfilling the requirements of both filters; if 
OR is selected, it includes the stations that meet the 
requirements defined by either filter. 


For examples that illustrate the filters’ interaction, 
refer to “Creating or Modifying a Report Script” on 
page 6-18 and “Recommendations on Report Editing” 
on page 6-25. 
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The To, From, and Both options associated with the 
filters determine whether the monitor filters out 
stations from a report based on the traffic received, 
sent, or both, respectively. These options do not take 
effect if the stations are filtered by sort position, name, 
partner’s name, or address. 


Other options associated with the filters are described 
below. Each option defines a range of values. 


Sort position is the position of the station in the 
report. The permissible range is 1 through 1,024. For 
example, if you specify that the minimum is 1 and 
maximum is 20, the top 20 stations are included in the 
report. 


Name is the station’s name. It specifies the 
alphabetical range to which the station’s name must 
belong if the station is to be included in the report. The 
minimum value is “” and the maximum is 

a tetetededededededededadedetaded ”. That is, the minimum or 
maximum value can be up to 16 characters. For 
example, you can define “bb” as the minimum value 
and “kk” as the maximum. If a station’s name is 
bobby, it fulfils the requirement of the filter. If a 
station’s name is kristen, it is outside the specified 
range and the station will not be included in the 
report. Numerals are considered smaller than letters. 
For example, you can define the minimum to be “123” 
and maximum to be “abc.” The name strings are case- 
sensitive; lowercase is smaller than uppercase. For 
example, “abc” is smaller than “ABC,” and “C” is 
smaller than “z.” 


Partner's name is the name of the station with which 
a station communicated most recently. For a station to 
be included in the report, its partner’s name must 
belong to the alphabetical range defined by Partner's 
name. The rules for specifying the range are the same 
as those for Name. 


Frames is the total number of frames. The permissible 
range is 0 through 4,294,967,295. 


Errors is the number of frames with errors. The 
permissible range is 0 through 65,535. 


Bytes is the number of bytes. The permissible range is 
0 through 999,999,999,999. 


Average size is the average frame size. The 
permissible range is 60 through 1,514. 
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Save 


Clear 


Print 


First activity is the date and time when the first 
activity takes place. The minimum time is 0 days; the 
maximum time is 49 days 17:02:47.295. A station is 
included only if its first activity happened in the time 
period specified. For example, suppose the 
monitoring session started at 1 p.m. If you specify that 
the minimum value of First activity is 2 hours, and 
that the maximum value is 7 hours, a station is 
included in the report only if its first activity happens 
between 3 p.m and 8 p.m. 


Last activity is the date and time when the last activity 
takes place. It has the same permissible range as First 
activity. 


Elapsed activity is the time between the first and last 
activity. It has the same permissible range as First 
activity. For example, if you set minimum value to 0 
and maximum value to 2 days, only the stations 
whose first and last activities happened within 2 days 
meet the requirement of the filter. 


Address is the station’s address. The permissible 
range is 000000000000 through FFFFFFFFFFFFP. 


Absolute usage is the percentage of absolute network 
usage by the station. The permissible range is 0 
through 100%. For example, if you specify minimum 
to be 10% and maximum 100%, only the stations 
whose traffic accounts for at least 10% of the network 
capacity meet the requirement of the filter. 


Relative usage is the percentage of relative network 
usage by the station. The permissible range is 0 
through 100%. For example, if you specify minimum 
to be 10% and maximum 100 percent, only the stations 
whose traffic accounts for at least 10% of the network 
traffic meet the requirement of the filter. 


Saves a report script you created or modified. The 
report script must be stored in the 
C:\ENREPORT\SCRIPTS directory. 


Erases the contents of the report editor. 


Prints the report based on the report script that has 
been loaded. 


The Screen option displays the report on the screen. 


The Device LPT1 option is the printer port on the 
server, and Device LPT2 redirects the output to the 
console. If you send the report to a printer, you can 
specify the number of lines per page. The default is 58. 
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Auto print 


The File option saves the report to disk under a 
filename of your choice. The monitor attaches the 
extension .RPT or .CSV (if the report is in delimited 
format) to the filename. 


The Page size option is applicable if Delimited format 
in the Report \Edit menu is disabled, and the report is 
printed to a file or device. It defines the number of 
lines printed before the monitor inserts a page break. 
The number ranges from 1 to 256. If you want no page 
breaks, set this option to 0. When the monitor inserts a 
page break, it also prints the header text in the report 
(for example, the report title). 


Prints out the report at each interval until midnight; 
restarts printing at the time defined by the Start time 
option (described later). The monitor must be running 
in the foreground for Auto print to function. The 
following describes the options: 


Report specifies the file to be printed. 


Start time determines when the first report of each 
day is printed. For example, if Start time is set to 12:00, 
and the current time is 8 a.m., the monitor will print 
the first report at noon. If the start time is already past 
(for example, it is set to 08:00 and the current time is 2 
p.m.), the first report is printed at the next interval 
boundary, which is determined by the Interval 
option. For example, if Interval is 15 minutes, the first 
report is printed at 2:15 p.m. To disable this function, 
specify 00:00. By default, Start time is disabled, which 
means that the first report is generated immediately. 


Interval determines how often the monitor prints a 
report. Specify a time between 1 minute and 24 hours. 
The default value is 1 hour. 


Print to device specifies the printer port the monitor 
uses to print out the file. (The Device LPT1 option 
refers to the printer attached to the server; the Device 
LPT2 option redirects output to the console.) You can 
specify the number of lines per page. The default is 58; 
selecting 0 disables page breaks. When the monitor 
produces a page break, it also prints the header text 
(for example, the title of the report). 
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Report Script Editor View 


Print to disk specifies that the monitor print the report 
to a file in the C:\ENREPORT directory. If Single file 
is selected, all reports are appended to one file. The 
filename is ARYYMMDD.RPT (YYMMDD represents 
the year, month, and day). If Multiple files is selected, 
each report is printed to a separate file. The filename 
for each report is YYMMDDNN.RPT (NN represents 
the number of the report). You can print reports to up 
to 99 files. 


Restart monitor determines whether the monitor 
starts anew monitoring session once it printed out a 
report. 


By default, Print to device, Print to disk, Multiple 
files, and Restart monitor are not selected. 


The Report Script Editor view (invoked by Edit in the Report menu) 
lets you modify the last report script that was loaded. Its functions are 
accessible through special function keys. These keys are described 


below: 


F2 (Insert field) 


F3 (Insert line) 
F4 (Delete line) 


F6 (Edit option 


F7 (Chars) 


Displays a list of fields you can include in the 
report. When you select a field, the monitor 
inserts a code into the script. Whenever you 
preview, print, or save a report based on this 
script, the monitor inserts the current statistics 
that the code represents. Appendix B provides 
information on the report fields. 


Inserts a blank line into the report script. 


Deletes the line that contains the cursor from the 
report script. 


Ss) Provides the Load, Save, Clear, Print, and Auto 
print options. These options are also available 
when you select Report from the Main Menu. 


In addition, the Report settings option specifies 
how the statistics are sorted, whether only active 
stations are included, whether only inserted 
stations are included, and how the filters are 
used. Report settings presents the same menu as 
the Report \Edit menu. 


Lists the special characters you can insert in a 
report script. 


F8 (Repeat char) Repeats special characters for continuous lines or 


borders. 
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F9 (Screen test) 


Manage Stations 


Provides a preview of the current report on 
screen. 


Displays and edits station information such as station names and 


threshold settings. 


Options 
Edit 


Reset thresholds 


Probe for names 


Manage Station Information View 


Displays the Manage Station Information view. 
This view is also generated by Edit in the Alarm 
menu. Refer to “Manage Station Information 
View” on page 9-34 for further information on 
the view. 


Resets all station alarm thresholds to the default 
settings specified by the current station default 
thresholds. 


Tries to assign names automatically using the 
NetBIOS remote status command. This option is 
applicable only if the server runs the IPX 
protocol. A station responds only if it is active 
and running the NetBIOS software. (The server 
that runs the monitor also responds to the 
NetBIOS remote status command.) 


Figure 9-15 is an example of the Manage Station Information view. 
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ANAGE STATION INFORMATION 

Address Errors No Rsp Idle %Usage Priority 
a Alex Zwick 25 Off Warning 
Warning 
Warning 
Warning 
Varning 
Yarning 
Warning 
Warning 
Varning 
Varning 
Varning 
Varning 
Varning 
Varning 
Yarning 
Varning 
Warning 
Varning 
Warning 


(3) 


Y 
00000463400 barbers Lemmon 
0000004E3126 Barney Ingram 
9000004E7256 Bill Goodman 
$000004E5298 David Brooks 
$200004E2001 Denise Martin 
Q000204E2108 Ed Hicks 
9000004E4302 File Server 
9000004E3504 Fred Biddle 
$200204EG205 George Stanley 
Q000204E0262 Helene Milici 
Q200004E7506 Jack Clayton 
$000004E3249 James Wylie 
$000004E2301 Jill Franz 
Q200004E8654 Ken Quinn 
$000204EG012 Linus Stanwick 
$000204E4523 Mark Ellison 
0200204E3096 Michael Harley 
$200004E8347 Miles Russell 
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Figure 9-15. Manage Station Information view. 
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To edit a station’s information, use the cursor to highlight the 
corresponding entry. You can also type the first letter of the station’s 
name to move to the entry. Press Enter, and a dialog box appears, 
which allows you to change the following types of information: 


Name The station name assigned to an address. The 
name can contain up to 16 printable ASCII 
characters. 

Errors The number of frames with errors (1 to 65535) a 


station can transmit before triggering an alarm. 


No response How long a station can be sent frames (broadcast 
frames excluded) without responding before 
triggering an alarm. Any value from 1 to 7 
seconds is allowed. 


Idle The length of time (1 to 120 minutes) the station 
can go without transmitting before triggering an 
alarm. 


% Usage The percentage of network traffic (1 to 100%) the 
station can generate before triggering an alarm. 


Priority The importance of a station’s alarms. The priority 
level can be Inform, Warning, Minor, Major, or 
Critical. 


Alternatively, you can use the function keys to edit the station 
information as described below: 
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Exit 


F2 (Delete station) Removes the station from the monitor data files. 


F4 (Apply default) Changes the threshold settings to the defaults. 
Specify the defaults with Alarm on the Main 
Menu. Refer to “Alarms” earlier in this chapter 
for further information on setting station default 
threshold settings. 


F7 (Thres options) Displays the threshold options, which are the 
same options displayed by the Thresholds 
options in the Alarm menu. 


Terminates the monitor's user interface and displays the Sniffer 
Server's Main Selection Menu. 


Although you can continue to monitor in the background after you 
terminate the monitor's user interface, you cannot log alarms, clear 
the alarm log, or print reports automatically. 


Upon exit, the monitor writes the STARTUP.ENB file. 
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Appendix A. Error and Warning Messages 


This appendix lists the monitor’s error and warning messages 
alphabetically. It explains each message and describes the action you 
should take when the message appears. 


Monitor Error Messages 


An error was encountered while loading the report script. 


Appears when you try to load an invalid report script file. Check your 
script and reload. 


Automatic report generation failed. 


Appears when the monitor tries to print a report automatically but the 
report script is corrupted. Check the report script file, edit it if 
necessary, and load it before you regenerate the report. 


Automatic report generation failed. Couldn't open report file. 


Appears when the monitor tries to print a report automatically but 
there are problems with the destination disk (for example, the 
directory structure is damaged). Make sure that your disk is operating 
properly and that the report scripts are stored under the 
C:\ENREPORT\SCRIPTS directory. 


Automatic report generation failed. Disk full. 


Appears when the monitor tries to print a report automatically to the 
disk but the disk is full. Remove unnecessary files from the disk to 
make room for the reports. 


Automatic report generation failed. Report script not found. 


Appears when the monitor tries to print a report automatically but 
cannot find the report script that the report should be based on. Check 
to be sure that the script is stored in the C:\ENREPORT\SCRIPTS 
directory. 


Automatic report generation failed to restart monitoring. 


Appears if the monitor fails to restart monitoring after generating a 
report automatically. Check to see whether the hardware 
configuration is correct. If the monitor still cannot start monitoring, 
contact NGC for help. 


Automatic report generation failed to restore report script. 


Appears if the monitor cannot restore the report script after 
generating a report automatically. The changes that you have made to 
the script with the script editor are lost. Contact NGC for help if this 
happens. 
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Can’t concatenate fields. 


Appears in the Report Script Editor view if you try to place two fields 
on the same line without any text characters between them. Place at 
least one text character between any two fields. 


Could not find the Ethernet Monitor network card. Make sure the 
card is installed correctly. 


Appears if you use the monitor software with a network interface card 
other than that supplied by NGC, or if the card is installed incorrectly. 
Refer to the Distributed Sniffer System: Installation and Operations 
Manual for a description of the Monitor Card and the installation 
procedure. 


Couldn’t generate a NetWare echo test. 


Appears when the monitor cannot communicate with the NetWare 
stack installed on the server's network interface card. Contact NGC 
for help if this happens. 


Couldn't open file. 


Usually indicates that you typed the file name incorrectly. Try typing 
the name again. If you cannot open any files, check the FILES= setting 
in the DOS file, CONFIG.SYS, increase the number, and reboot. 


Couldn’t save station information. 


Appears if the disk is full. Make room by deleting other files that may 
not be essential, such as old history logs. 


Fatal Error: Unable to determine the monitor state! Re-boot the 
system and configure the monitor again. If the problem persists, 
contact Technical Support. 


Appears when the server fails to determine the state of the monitor. 
Reboot the server, and contact NGC if the same message appears the 
next time you try to start the monitor. 


Fatal Error: Unable to load the monitor. Re-boot the server and try 
again. If the problem persists, contact Network General technical 
support. 


Appears when you attempt to start the monitor but the server fails to 
load the necessary files into memory. Reboot the server and try again. 
If the message appears again, contact the NGC technical support. 


Fatal Error: Unable to unload the monitor from memory. Re-boot 
the system and try again. If the problem persists, please contact 
Network General Technical Support. 


Appears when the server fails to remove driver from memory. Reboot 
the server; contact NGC if the same message appears again. 
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Field too long. 


Appears in the Report Script Editor view when the end of the field 
you want to include reaches past the end of a line (column 80). Try 
positioning the cursor farther to the left before placing the field. 


Help file not found. 


The monitor could not find the ENMON.HLP file in the C:\ENSNIFF 
directory. Restore this file from your back-up disk. 


Network card not responding. 


Indicates a problem with programming the network interface card. 
Contact NGC for help. 


No report script disk files found. 


Appears if you try to load report scripts and the monitor cannot find 
any report script files. Restore the report scripts from your back-up 
disk. 


No statistics have been collected. 


Appears when you try to display statistics but you have not started a 
monitoring session. Start a monitoring session by pressing F10 (New 
monitor). 


Not a valid DOS file name. 


Appears when you try to enter a filename that contains invalid DOS 
characters. Try typing the name again, following the DOS filename 
requirements. 


The broadcast address cannot be deleted. 


Appears if you try to delete the broadcast address. Reselect the station 
you want to delete. 


The current report script contains no information. Use the Report 
Editor to create a report, or load a report from a disk file. 


Appears if you try to print or save a report without first loading or 
editing a report script. Load the desired report script or create a report 
script. Then retry. 


The minimum filter value must be less than or equal to the 
maximum filter value. 


Appears if you try to enter a minimum value for a report filter that 
exceeds the maximum value. Enter a minimum filter value that is less 
than or equal to the maximum filter value. 


The STARTUP.ENI file has too many entries. The entries at the end 
of the file were not loaded. 


Appears if STARTUP.ENI contains more than 225 entries. 


As 
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The STARTUP.ENT file has been changed. You must unload 
ENMONDRV.EXE for the changes to take effect. 


Appears if you have used a text editor to modify STARTUP.ENT 
when ENMONDERYV is loaded. In order for the monitor to use 
consistent Ethertype information, you must remove ENMONDRV 
from memory before changing STARTUP.ENT. Then restart the 
monitor. 


The STARTUP.ENT file has too many entries. The entries at the end 
of the file were not loaded. 


Appears when STARTUP.ENT contains more than 32 entries. 


The STARTUP.ENT file has too many group entries. The entries at 
the end of the file were not loaded. 


Appears when STARTUP.ENT contains more than 16 Ethertype 
labels. 


The value you have entered is not valid for this item. 


Appears when you enter an invalid value. Most messages tell you the 
range of valid values; if not, try entering a lower or higher value. 


This software has been tampered with. What you have done is 
illegal! 


Your software has been illegally modified and executable files were 
corrupted. Call NGC for help. 


Unable to print alarm log, check printer. 


Appears when you try to print the alarm log and the printer does not 
respond. Make sure the printer is connected to the printer port on the 
server or console and that it is turned on and functioning properly. To 
verify that the printer functions properly, check to see whether other 
servers can print alarm logs on the same printer. 


Write to alarm log failed. Disk full. 


Appears if the disk is full when the monitor tries to add alarms to the 
alarm log on the disk. Make room by deleting other files that are not 
essential, such as files containing history statistics that you no longer 
need. 


Write to file failed. Disk full. 


Appears if the disk is full when you try to store a report to the disk. 
Make room by deleting other files that may not be essential, such as 
files containing history statistics that you no longer need. 


Write to history log failed. Disk full. 


Appears if the disk is full when the monitor tries to store the history 
log to the disk. Remove unnecessary files from the disk to make room 
for the history log. 
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You did not enter a file name. 


Appears if you try to store a report to the disk but have not specified 
the filename. 


You must load a NetWare shell before you can use this feature. 


Appears if the monitor tries to perform a station test but no network 
interface cards are loaded with NetWare. Check to make sure that 
more than one network card is installed in the server, and that one of 
the network cards is using NetWare. 


You must load a NetBIOS handler before you can use this feature. 


Appears if you try to use Station test with the NetBIOS or Probe for 
Names option and the monitor cannot find the NetBIOS software. If 
you are sure that you are running NetBIOS, press Enter to ignore the 
message. If you cannot proceed, contact NGC for help. 


You must specify a unique station. 


Appears if you try to send a test frame with either a broadcast or 
multicast address as the destination address. Select an individual 
station as the destination address of a test frame. 


You must stop monitoring before you can use this feature. 


Appears if you try to start a transmit timer or station test when a 
monitoring session is in progress. Press F10 to stop the monitoring 
session before starting these monitor functions. 


You should not include a file extension. 


Appears if you include a file extension when you specify a name of a 
file to which a report is stored. 


Monitor Warning Messages 


The following is an alphabetical listing of warning messages that 
appear during normal operation. They provide a brief explanation of 
the consequences of proceeding and give you a chance to change your 
mind. 


Any changes made to station alarm configurations will be lost if 
you proceed. 


Appears after you change threshold settings and then try to reset all 
thresholds to the default settings. 


File exists. 


Appears when you try to assign a report script filename that already 
exists. Unless you assign a different filename, the new report script 
overwrites the existing script. 
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The current history statistics will be cleared if this setting is 
updated. 


Appears when you try to change either the station for which history 
statistics are collected or the history interval during a monitoring 
session. To prevent losing the statistics, print a report before changing 
these settings. 


The last line of the report script will be lost if this line is inserted. 
Press ENTER to proceed. Press ESC to cancel. 


Appears if you try to create or modify a report script to contain more 
than 58 lines. 


The number of stations being monitored has reached the maximum 
value set in the configuration program. You should increase this 
setting to make sure that all stations are being monitored. 


Appears when the actual number of stations on the network exceeds 
the value of Maximum Stations in the Configuration Options view. 
The message appears when you use the Display command on the 
Main Menu. 


The number of stations being monitored has reached the Sniffer 
Network Monitor's maximum value. 


Appears when more than 1,024 stations are on the network; 1,024 is 
the maximum number of stations that the monitor can monitor. 


The Sniffer Network Monitor will stop monitoring if you proceed. 
Press ENTER to proceed. Press ESC to cancel. 


Appears after you pressed F10 during a monitoring session. To stop 
monitoring, press Enter. If you want the monitoring session to 
continue, press Esc. 


These changes will not be saved unless you enter a name for the 
station. 


Appears if you try to save alarm thresholds for a station that is not 
named. Since the monitor considers unnamed stations as intruders, 
you must name all legal stations. 


This selection will not take effect until the next time the collection 
of history statistics starts. 


Appears if you change the Align history option under History. The 
new setting takes effect at the next monitoring session. 


The Sniffer Network Monitor has been monitoring for more than 5 
weeks. You must start anew monitoring session or the statistics will 
overflow. 


Indicates that the statistics accumulated may not be accurate due to 
overflow. You should start a new monitoring session. 


Monitor Warning Messages 


You have not saved the latest Report Editor session. Any changes 
will be lost if you proceed. 


Appears if you try to exit the monitor’s Main Menu without saving 
the latest report script you edited. 


You must stop monitoring before you can change this filter. 


Appears if you try to change the option settings for Monitor filters 
when a monitoring session is in progress. Press F10 to stop 
monitoring before you change the options. 
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Appendix B. Report Fields 


Chapter Overview 


This appendix explains the meaning of each field that you can insert 
or edit in a report script. It also gives the code that represents each 
field. On the screen, the actual code is preceded and followed by the 
“at” sign (@). 


To display the list of report fields as shown in Figure B-1, press F2 
(Insert field) in a Report Script Editor view. This appendix describes 
the fields in the same order as they appear in Figure B-1. To find out 
what a particular code in your report script stands for, refer to the list 
of codes at the end of this appendix. 


-REPORT SCRIPT EDITOR 


FIELD: 
Global Errors Station From To Both 


SrvrAddr Runt Sort Pos Partner Partner Partner 
Stations Align Address % Usage % Usage % Usage 
% Usage CRC Name Frames Frames Frames 
Frames TotErrs Hist Stn Errors Errors Errors 
Bytes  Unsaved Text Bytes Bytes Bytes 
Avg Size Missed CSV Ret Avg Size Avg Size Avg Size 


First Tot Lost First First First 
Last Last Last Last 
Elapsed Elapsed Elapsed Elapsed 
History History History History 
Start 

End 

Active 

CurrT ime 

FrmSizes 

Etypes 


Figure B-1. Report fields. 
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Global Fields 


The fields under the heading “Global” represent information about 
the entire network. The following list explains the meanings of the 


Global fields: 
SrvrAddr 


Stations 


% Usage 


Frames 
Bytes 
Avg Size 


First 


Last 


Elapsed 


History 


Start 


Server’s NetBIOS address (for a server running IPX) or 
IP address (for a server running TCP/IP). If more than 
one server is connected to a console, the address helps 
you determine which server generates a particular 
report. The code is GSERVER ADDR. 


Number of stations. 
Absolute network usage. It has two options: 


Numeric displays the percentages in numbers 
(without the percent sign). The code is GUAB. 


Graphic displays the percentages in a graph. You can 
select the scale used on the axis, which can be 0.4, 2, 10, 
20, 50, or 100%. The code is GUSAGE ABS, which is 
followed by the scale. 


Total number of frames. The code is GFRAME. 
Total number of bytes. The code is GBYTE. 


Average size of the frames in the current monitoring 
session (total number of bytes divided by the total 
number of frames). The code is GAV. 


Time when the first network activity took place. The 
code is GFIRST. 


Time when the last network activity took place. The 
code is GLAST. 


Time elapsed between the first and last network 
activity. It shows the number of days, hours, minutes, 
and seconds. The code is GELAPSED. 


Global history statistics. It has two options: 


Numeric shows the history statistics in the same 
format as the numeric Global History view. The code 
is GHISTORY NUMERIC ABS. 


Graphic shows the history statistics in the same 
format as the graphic Global History view. You can 
choose the scale used on the axis, which can be 0.4, 2, 
10, 20, 50, or 100%. The code is GHISTORY GRAPHIC 
ABS. 


Time the monitoring session started. The code is 
GMON START. 
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Error Fields 


Station Fields 


End 


Active 


CurrTime 


FrmSizes 


Etypes 


Time the monitoring session stopped. If a monitoring 
session is in progress when the report is generated, the 
current time is printed. The code GMON END. 


Duration of the monitoring session. The code is 
GMON ACTIVE. 


Current time. The code is GCURRENT TIME. 


Distribution of the frame sizes. It displays the number 
of frames that fall in each size category. The format is 
the same as the Frame Sizes view. The code is 
GFRAME SIZES. 


Distribution of bytes or frames according to protocol 
types. The format is the same as the Protocol Types 
(Ethertypes) view. The code is GETHERTYPES.BYTES 
or GETHERTYPES.FRAMES, depending on whether 
you select to display the number of bytes or frames. 


The fields under the heading “Errors” represent different types of 
errors on the network, which are the same as the ones displayed in the 
lower-left portion of the numeric Global Statistics view. The following 
list explains the meanings of the Error fields: 


Runt 


Align 


CRC 
Tot Errs 


Unsaved 


Missed 


Tot Lost 


Number of runt frames. The code is ERU. 


Number of frames with alignment errors. The code is 
EAL. 


Number of frames with CRC errors. The code is ECR. 
Total number of frames with errors. The code is ETE. 


Number of frames that are not saved to the monitor’s 
memory. The code is EUN. 


Number of frames that are missed by the monitor. The 
code is EMI. 


Total number of frames that are lost and not analyzed 
by the monitor. The code is ETL. 


The fields under the heading “Station” represent station information. 
The following list explains the meanings of the Station fields: 


Sort Pos 
Address 


Sort position of the station. The code is SS. 


Station address. The code is SADDRESS. 


ES 
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Name 


Hist Stn 


Text 


CSV Ret 


Station name. The code is SNAME. 


Name of station the monitor collects history statistics 
for. The code is SHISTORY STN. 


Text characters. If you want to have characters 
separating two entries in the report, position the 
cursor below the line that represents an entry in the 
script, type the character and insert Text. The 
character is printed below each entry in the generated 
report, and is replicated four times. For example, if 
you want to print ##### between each pair of entries in 
the generated report, type # and select Text. The 
character and the code appear in the report script as 
#@ST@. If no character precedes the field, the report 
assumes that character to be a blank, and a blank line 
appears in the generated report where you insert Text. 


Carriage return in a report script with CSV format. 
Use this field if the report contains lines that exceed 
the maximum width of the script (80 characters). The 
report suppresses a linefeed where you insert this 
field. For example, your report contains four fields, 
each of which has 30 characters. If you insert CSV Ret 
after the second field, the third and fourth fields are 
printed on the same line as the first two in the 
generated report. Although the total length of the 
fields exceeds the width of the report script, they are 
interpreted as one entry when the report is imported 
into a spreadsheet program. The code is SC. 


From, To, and Both Fields 


The headings “From,” “To,” and “Both” represent the class of traffic. 
The fields under the headings “From” and “To” are related to traffic 
transmitted and received by each station in the report. The fields 
under the heading “Both” are related to the traffic both transmitted 
and received by the stations. The following list explains the meanings 
of the fields under these headings. The term “this station” refers to the 
station that is displayed as a report entry. 


Partner 


When used as a From field, Partner is the most recent 
station that received traffic from this station. The code 
is FPARTNER. 


When used as a To field, Partner is the most recent 
station that transmitted traffic to this station. The code 
is TPARTNER. 


Network 
General 


From, To, and Both Fields 


When used as a Both field, Partner is the name of the 
station that this station most recently transmitted 
traffic to or received traffic from. The code is 
BPARTNER. 


% Usage When used as a From field, % Usage is the network 
usage caused by the amount of traffic transmitted 
from this station. 


When used asa To field, % Usage is the network usage 
caused by the amount of traffic sent to this station. 


When used as a Both field, % Usage is the network 
usage caused by traffic that is sent from and to this 
station. 


Regardless of the class of traffic, the % Usage field has 
these options: 


Absolute represents the absolute network usage; 
Relative represents the relative network usage. 


Numeric displays the network usage in numbers 
(without the percent sign). Graphic displays the 
network usage ina graph. You can choose the scale for 
the axis, which can be 0.4, 2, 10, 20, 50, or 100%. 


The following table lists the codes used for this field. 


[J asotte Relative J 
fo jruas—SSSSCS~=*dORESSSSCSCSCSC*d 


Figure B-2. Codes for the % Usage fields in the numeric format. 


es 


Figure B-3. Codes for the % Usage fields in the graphic format. 


Frames When used as a From field, Frames is the number of 
frames sent from this station. The code is FFRAME. 


When used as a To field, Frames is the number of 
frames sent to this station. The code is TFRAME. 


When used as a Both field, Frames is the number of 
frames sent from and to this station. The code is 
BFRAME. 


a 
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Errors 


Bytes 


Avg Size 


First 


Last 


When used as a From field, Errors is the number of 
frames with errors sent from this station. The code is 
FER. 


When used as a To field, Errors is the number of 
frames with errors sent to this station. The code is TER. 


When used as a Both field, it is the number of frames 
with errors sent from or to this station. The code is 
BER. 


When used as a From field, Bytes is the number of 
bytes sent from this station. The code is FBYTE. 


When used as a To field, Bytes is the number of bytes 
sent to this station. The code is TBYTE. 


When used as a Both field, Bytes is the number of 
bytes sent to and from this station. The code is BBYTE. 


When used as a From field, Avg Size is the average 
size of the frames sent from this station. The code is 
FAV. 


When used as a To field, Avg Size is the average size 
of the frames sent to this station. The code is TAV. 


When used as a Both field, Avg Size is the average size 
of the frames sent to and from this station. The code is 
BAV. 


When used as a From field, First is the time when this 
station first sent out traffic during the current 
monitoring session. The code is FFIRST. 


When used as a To field, First is the time when this 
station first received traffic during the current 
monitoring session. The code is TFIRST. 


When used as a Both field, First is the time when this 
station first received or sent traffic during the current 
monitoring session. The code is BFIRST. 


When used as a From field, Last is the time when this 
station made the most recent transmission. The code is 
FLAST. 


When used as a To field, Last is the time when the 
monitor detected the last frame containing this 
station’s address as the destination address. The code 
is TLAST. 


From, To, and Both Fields 


Elapsed 


History 


When used as a Both field, Last is the time when this 
station made the most recent transmission or when the 
monitor detected the last frame containing this 
station’s address as the destination address. The code 
is BLAST. 


When used as a From field, Elapsed is the length of 
time between the station’s first and last transmission 
in the current monitoring session. The code is 
FELAPSED. 


When used as a To field, Elapsed is the length of time 
between the monitor’s first and last detection of the 
station’s address as a destination address. The code is 
TELAPSED. 


When used as a Both field, Elapsed is the length of the 
time period between the station’s first and last 
network activity, which can be a transmission or 
reception. The code is BELAPSED. 


Displays the station’s history statistics in the same 
format as the statistics view generated by Station 
history on the monitor’s Main Menu. 


When used as a From field, the display includes the 
number of frames sent from this station. The code is 
FHISTORY. 


When used as a To field, the display includes the 
number of frames sent to this station. The code is 
THISTORY. 


When used as a Both field, the display includes the 
number of frames both sent to and from this station. 
The code is BHISTORY. 


This field has several options: 


Absolute means that all network usage percentages in 
the report are absolute; Relative means that all 
network usage percentages in the report are relative. 
The codes are ABS and REL for Absolute and 
Relative, respectively. 


Numeric displays the station history statistics in 
numbers. The code is NUMERIC. Graphic displays 
the statistics in a graph. You can choose the scale for 
the axis, which can be 0.4, 2, 10, 20, 50, or 100%. The 
code is GRAPHIC. 
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List of Codes 


In the report, the codes for the options are 
concatenated to form a single code. For example, if 
you select History as a To field, and Numeric and 
Absolute as the options, the code for the field is 
THISTORY NUMERIC ABS. 


This section lists all the codes alphabetically that can appear in a 
report script. They are arranged according to the fields under which 


they appear. 
Both 
Code Report Field 
BAV Avg Size 
BBYTE Bytes 
BELAPSED Elapsed 
BER Errors 
BFIRST First 
BFRAME Frames 
BHISTORY GRAPHIC ABS _ History (Absolute, Graphic) 
BHISTORY GRPHIC REL History (Relative, Graphic) 
BHISTORY NUMERIC ABS History (Absolute, Numeric) 
BHISTORY NUMERIC REL _ History (Relative, Numeric) 
BLAST Last 
BPARTNER Partner 
BUAB % Usage (Absolute, Numeric) 
BURE % Usage (Relative, Numeric) 
BUSAGE ABS % Usage (Absolute, Graphic) 
BUSAGE REL % Usage (Relative, Graphic) 
Errors 
Code Report Field 
EAL Align 
ECR CRC 
B-10 


List of Codes 


From 


Global 


EMI 
ERU 
ETE 
ETL 
EUN 


Code 

FAV 
FBYTE 
FELAPSED 
FER 
FFIRST 
FFRAME 


FHISTORY GRAPHIC ABS 
FHISTORY GRPHIC REL 

FHISTORY NUMERIC ABS 
FHISTORY NUMERIC REL 


FLAST 
FPARTNER 
FUAB 

FURE 
FUSAGE ABS 
FUSAGE REL 


Code 

GAV 

GBYTE 
GCURRENT TIME 
GELAPSED 
GFIRST 


Missed 
Runt 
Tot Errs 
Tot Lost 


Unsaved 


Report Field 

Avg Size 

Bytes 

Elapsed 

Errors 

First 

Frames 

History (Absolute, Graphic) 
History (Relative, Graphic) 
History (Absolute, Numeric) 
History (Relative, Numeric) 
Last 

Partner 

% Usage (Absolute, Numeric) 
% Usage (Relative, Numeric) 
% Usage (Absolute, Graphic) 
% Usage (Relative, Graphic) 


Report Field 
Avg Size 
Bytes 
CurrTime 
Elapsed 
First 
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GFRAME Frames 
GFRAME SIZES FrmSizes 
GHISTORY GRAPHIC ABS __ History (Graphic) 
GHISTORY NUMERIC ABS __ History (Numeric) 
GLAST Last 
GMON ACTIVE Active 
GMON END End 
GMON START Start 
GROUTE.LENGTHS Routing (Lengths) 
GROUTE.PATHS Routing (Paths) 
GS Stations 
GSAPS.BYTES SAPs (Bytes) 
GSAPS.FRAME SAPs (Frames) 
GSERVER ADDR SrvrAddr 
GUAB % Usage (Numeric) 
GUSAGE ABS % Usage (Graphic) 
Station 
Code Report Field 
SADDRESS Address 
5C CSV RET 
SHISTORY STN Hist Stn 
SNAME Name 
SS Sort Pos 
SSTATUS Status 
ST Text 
To 
Code Report Field 
TAV Avg Size 
IBYTE Bytes 
TELAPSED Elapsed 
B-12 


List of Codes 


TER 
TFIRST 
TFRAME 


THISTORY GRAPHIC ABS 
THISTORY GRPHIC REL 

THISTORY NUMERIC ABS 
THISTORY NUMERIC REL 


TLAST 
TPARTNER 
TUAB 

TURE 
TUSAGE ABS 
TUSAGE REL 


Errors 

First 

Frames 

History (Absolute, Graphic) 
History (Relative, Graphic) 
History (Absolute, Numeric) 
History (Relative, Numeric) 
Last 

Partner 

% Usage (Absolute, Numeric) 
% Usage (Relative, Numeric) 
% Usage (Absolute, Graphic) 
% Usage (Relative, Graphic) 
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General 


DISTRIBUTED SNIFFER SYSTEWM™ 


APPENDIX C: ETHERTYPE VALUES C 


Network 


Appendix C. Ethertype Values 


Chapter Overview 


This appendix lists the hexadecimal values of the various Ethertypes. 
The Ethertype value is stored in the “Type” field, which is the 13th 
and 14th octets after the preamble in an Ethernet frame. The values in 
these fields are managed by Xerox. 


Ethertypes 

The following is a list of Ethertype values that you can add to the 

STARTUP.ENT file: 

0000-05DC IEEE 802.3 Length Field 

0200 Xerox PUP (conflicts with IEEE 802.3 Length Field 
range) 

0201 Xerox PUP Address Translation 

0600 Xerox NS IDP 

0800 DOD Internet Protocol (IP) 

0801 X.75 Internet 

0802 NBS Internet 

0803 ECMA Internet 

0804 CHAOSnet 

0805 X.25 Level 3 

0806 Address Resolution Protocol (ARP) (for IP and for 
CHAOS) 

0807 XNS Compatibility 

081C Symbolics Private 

0888-088A Xyplex 

0900 Ungermann-Bass network debugger 

0A00 Xerox IEEE 802.3 PUP 

OAO01 Xerox IEEE 802.3 PUP Address Translation 

OBAD Banyan Systems 

1000 Berkeley Trailer negotiation 


1001-100F Berkeley Trailer encapsulation for IP 


os 
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1600 
4242 
5208 
6000 
6001 


6002 


6003 
6004 
6005 
6006 
6007 


6008 
6009 
6010-6014 
7000 
7002 
7020-7029 
7030 
7034 
8003 
8004 
8005 
8006 
8010 
8013 
8014 
8015 
8016 
8019 
802E 


VALID system protocol 

PCS Basic Block Protocol 

BBN Simnet Private 

DEC unassigned, experimental 


DEC Maintenance Operation Protocol (MOP) Dump/ 
Load Assistance 


DEC Maintenance Operation Protocol (MOP) Remote 
Console 


DECnet Phase IV, DNA Routing 

DEC Local Area Transport (LAT) 

DEC diagnostic protocol (at interface initialization) 
DEC customer protocol 


DEC Local Area VAX Cluster (LAVC), System 
Communication Architecture (SCA) 


DEC unassigned 

DEC unassigned 

3Com 

Ungermann-Bass download 
Ungermann-Bass diagnostic/ loopback 
LRT 

Proteon 

Cabletron 

Cronus VLN 

Cronus Direct 

HP Probe protocol 

AT&T 

Excelan 

Silicon Graphics diagnostic 

Silicon Graphics network games 
Silicon Graphics reserved 

Silicon Graphics XNS NameServer, bounce server 
Apollo DOMAIN 


Tymshare 


C4 


Ethertypes 


802F 
8035 
8036 
8038 
8039 
803A 
803B 
803C 
803D 
803E 
803F 
8040 
8041 
8042 
8044 
8046 
8047 
8049 
805B 


805C 
805D 
8060 
8062 
8065 
8066 
8067 
8068 
8069 
806A 
806C 
806D 


Tigan 

Reverse Address Resolution Protocol (RARP) 
Aeonic Systems 

DEC LAN Bridge Management 

DEC unassigned 

DEC unassigned 

DEC unassigned 

DEC unassigned 

DEC Ethernet CSMA/CD Encryption Protocol 
DEC unassigned 

DEC LAN Traffic Monitor Protocol 

DEC unassigned 

DEC unassigned 

DEC unassigned 

Planning Research Co. 

AT&T 

AT&T 

ExperData 


VMTP (Versatile Message Transaction Protocol, RFC- 
1045) (Stanford) 


Stanford V Kernel, version 6.0 

Evans & Sutherland 

Little Machines 

Counterpoint Computers 

University of Massachusetts, Amherst 
University of Massachusetts, Amherst 
Veeco Integrated Automation 
General Dynamics 

AT&T 

Autophon 

ComDesign 


Compugraphic 


(Nexo C-5 
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806E-8077 
807A 

807B 

807C 
807D-807F 
8080 
8081-8083 
809B 
809C-809E 
809F 

80A3 
80A4-80B3 
80C0-80C3 
80C6 

80C7 
80C8-80CC 
80CD-80CE 
80CF-80D2 
80D3-80D4 
80D5 
80DD 
80DE-80DF 


80E0-80E3 
80E4-80F0 
80F2 
80F3 
80F4-80F5 
80F7 
80FF-8103 
8107 
8108 


Landmark Graphics 

Matra 

Dansk Data Elektronik 

Merit Internodal (or University of Michigan) 
Vitalink 

Vitalink TransLAN II] Management 
Counterpoint Computers 

EtherTalk (AppleTalk over Ethernet) 
Datability 

Spider Systems 

Nixdorf Computers 

Siemens Gammasonics 

DCA (Digital Comm. Assoc.) Data Exchange Cluster 
Pacer Software 

Applitek 

Intergraph 

Harris 

Taylor Instrument 

Rosemount 

IBM SNA Services over Ethernet 
Varian 


Integrated Solutions Transparent Remote File System 
(TRFS) 


Allen-Bradley 

Datability 

Retix 

AppleTalk Address Resolution Protocol (AARP) 
Kinetics 

Apollo 

Wellfleet 

Symbolics Private 


Symbolics Private 


Ethertypes 


8109 
8130 
8131 
8137 
8138 
8139-813D 
9000 
9001 
9002 


9003 
FFO00 


Symbolics Private 

Waterloo Microsystems 

VG Laboratory Systems 

Novell (old) NetWare IPX (ECONFIG E option) 
Novell 

KTI 

Loopback (Configuration Test Protocol) 

Bridge Communications XNS Systems Management 


Bridge Communications TCP/IP Systems 
Management 


Bridge Communications 


BBN VITAL-LANBridge cache wakeups 
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General 


DISTRIBUTED SNIFFER SYS TEM™ 


Network 
enek 


Index 


Numerics 
3Com, Ethertype value C-4 


A 


Absolute network usage 3-4 


Absolute usage, filter for reports 9- 
31 


Acknowledging alarms 
—effects on the console 5-14 
—pressing F3 3-17 
Active stations 
—definition 9-16, 9-29 
—displaying in statistical views 3- 
12 


Adding a blank line in a report script 
6-24 


Adding addresses to station data 
files 4-3 


Adding addresses to station list 2-11 


Adding headers in report scripts 6— 
24 


Adding protocols to STARTUP.ENT 
with EDLIN 3-16 


Address 
—adding to station data files 4-3 
—broadcast 8-4 
—filter for reports 9-31 
—illegal 5-13 
—station 4-4, 8-3, 8-4 


Address Resolution Protocol (ARP) 
(for IP and for CHAOS), Ether- 
type value C-3 


Aeonic Systems, Ethertype value C— 
5 


Alarm buffer 3-17, 5-4, 5-14, 8-5 


Alarm log on the console 5-4, 5-14, 
5-15 


Alarm log option 3-17, 9-7 
Alarm Log view (figure) 9-20 


Alarm Log view, displaying 3-17, 5- 
13, 5-14, 9-7 


Alarm option 4~9, 5-16 
Alarm processing (figure) 5-3 


Alarm threshold information in 
Manage Station Information view 
46 

Alarm thresholds 

—changing 4-9, 5-7 

—global 5-5, 9-25 

—in STARTUP.ENA 8-3 

—types 5-4, 9-25 
ALARM.LOG 5-17, 9-26 


Alarms 

—acknowledging 5-14 

—caused by illegal source address 
5-13 

—clearing 5-14, 9-20 

—clearing automatically 5-16 

—clearing manually 5-16 

—different ways of clearing 5-15 

—interpreting 5-7 

—logging 5-16 

—printing 5-16, 9-25, 9-26 

—printing automatically 5-16 

—-priority levels 54, 9-26 

—saving to disk 5-17, 9-25, 9-26 

—station thresholds 5-6 

—when monitoring one type of 
station 2-11, 5-7 

—with unmodifiable thresholds 5- 
4, 5-13 


Alarms sent to the console (figure) 
5-5 


Align history 9-5 
Align history (figure) 9-5 
Align history option 9-5 
Alignment errors 9-9 
All stations option 
—Display menu 9-6 
—Monitor filters menu 2-11, 3-6, 
9-4 
All Stations Statistics view 
—graphic (figure) 9-17 
—numeric (figure) 9-16 
Allen-Bradley, Ethertype value C-6 
Analyzer 
—menu structure 2-4 
—starting 2-16 


—use of STARTUP.END 2-11, 2- 
13 


—use of STARTUP.ENI 8-5 
—use of station data files 4-3 
—user interface 2-4 


AND operator, using with report fil- 
ters 6-23, 6-25, 9-29 


Apollo DOMAIN, Ethertype value 
C4 


Apollo, Ethertype value C-6 


Appending alarms to existing 
ALARM.LOG 5-17 


AppleTalk Address Resolution Pro- 
tocol (AARP), Ethertype value C- 
6 


Applitek, Ethertype value C-6 


Applying default station thresholds 
by pressing F2 5-12 


Ascending order, sorting statistics in 
reports 6-22 


Assigning a value to an option 2-7 


Assigning an Ethertype value in 
STARTUP.ENT 8-5 


Assigning default alarm settings 4-3 
AT&T, Ethertype value C-4, C-5 
Audible alarms on the console 5-14 
Auto clear option 5-15, 5-16, 9-25 
Auto print option, Report menu 9- 


Automatic report generation, termi- 
nating 6-17 


Automatically clearing alarms 5-16 
Automatically printing alarms 5-16 
Autophon, Ethertype value C-5 


Average frame size 
—for each station 7-7 
—-sorting station statistics by 3-12 


Average network usage in a moni- 
toring session 9-8 


Average size of transmitted frames 
9-8 


Average size, filter for reports 9-30 
Axis in a graphic statistical view 3-4 


Index—3 
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B 


Background monitoring 
—meaning 2-15 
—stopping 2-16 


Backup copies of station data files 4— 
3, 4-10, 8-3 


BACKUP.ENA 4-3, 8-3 

BACKUP.END 4-3, 8-3 

Banyan Systems, Ethertype value C— 
3 


Baseline for your network 
—examining frame size distribu- 
tions 7—7 
—gathering history statistics 7-3 
—generating station history report 


—protocol testing 7-6 


BBN Simnet Private, Ethertype val- 
ue C4 


BBN VITAL-LANBridge cache 
wakeups, Ethertype value C-7 


Berkeley Trailer encapsulation for 
IP, Ethertype value C-3 


Berkeley Trailer negotiation, Ether- 
type value C-3 


Blank report script 6-19 


Bridge Communications TCP/IP 
Systems Management, Ethertype 
value C-7 


Bridge Communications XNS Sys- 
tems Management, Ethertype 
value C-7 


Bridge Communications, Ethertype 
value C-7 


Bringing background monitoring to 
foreground 2-16 


Broadcast address 8-4 
Broadcast alarm threshold 5-6 
Broadcast alarm, global 9-25 
Broadcast frames 5-6 


Broadcast, illegal source address 5— 
13 


Bytes, filter for reports 9-30 


Cc 

Cable test 7-5 

Cable tester option 7-5, 9-3 
Cabletron, Ethertype value C4 


Calculating average size of transmit- 
ted frames 9-8 


Capabilities of the monitor 1-3 
Carriage return symbol in Main 


Menu 2-6 


Changing 


—a station name 9-35 

—alarm thresholds during a moni- 
toring session 4-9, 5-7 

—default station alarm thresholds 
5-11 


—global alarm thresholds 5-8, 5— 
10 


—global or station alarm thresh- 
olds by pressing F7 4~9 


—station alarm thresholds 4-8 
CHAOSnet, Ethertype value C-3 


Character strings in CSV reports 6- 
14 


Characters available in report 
scripts, displaying by pressing F7 
6-24 


Choosing a value for an option 2-7 


Class of traffic 
—definition 9-7 
—in Station History views 3-20 


—setting for station history statis- 
tics 7-4 


Class of traffic, meaning 3-3, 3-4 
Class option 3+4, 3-9, 3-21, 9-7 
Clear alarm file option 5-17, 9-27 
Clear option, Report menu 9-31 
Clearing a report script 6-19 


Clearing alarms 3-17, 9-20 
—effects of 5-14 
—-pressing F4 3-17, 5-16 


Clearing alarms automatically 9-24 
Clearing alarms manually 5-16 


Clearing contents of the report edi- 
tor 9-31 


Clock ina statistical view 3-5 
Codes in report scripts 6-20 

Colors used in graphic displays 3-9 
ComDesign, Ethertype value C-5 


Commas, inserting to separate re- 
port fields 6-14 


Compugraphic, Ethertype value C-5 


Configuring the network’s data 
buffers 3-15 


Connectivity problems 2-13, 7-6 


Console 
—printing reports 6-15 


—receiving alarms from server 5-5 
Console’s alarm log 5-4, 5-14, 5-15 
Console’s audible alarms 5-14 


Console’s Server Status display 54, 
5-14 


Corrupted source address 5-13 


Counterpoint Computers, Ethertype 
value C-5, C-6 


CRC errors 9-9 

Creating a report script 6-19 
Creating backup data files 4-3 
Cronus Direct, Ethertype value C-4 
Cronus VLN, Ethertype value C-4 
Current network usage 9-8 


Current time, graphic Global Statis- 
tics view 9-10 


Cursor keys 2-5 


Cursor position in a report script 6— 
21 


D 


Dansk Data Elektronik, Ethertype 
value C-6 


Data rate of the monitor 9-9 
Datability, Ethertype value C-6 


DCA (Digital Comm. Assoc.) Data 
Exchange Cluster, Ethertype val- 
ue C-6 


DEC customer protocol, Ethertype 
value C-4 

DEC diagnostic protocol (at inter- 
face initialization), Ethertype val- 
ue C4 


DEC Ethernet CSMA/CD Encryp- 
tion Protocol, Ethertype value C- 
5 


DEC LAN Bridge Management, 
Ethertype value C-5 


DEC LAN Traffic Monitor Protocol, 
Ethertype value C-5 


DEC Local Area Transport (LAT), 
Ethertype value C4 


DEC Local Area VAX Cluster 
(LAVC), System Communication 
Architecture (SCA) 


—Ethertype value C4 
DEC Maintenance Operation Proto- 


col (MOP) Dump/ Load Assis- 
tance, Ethertype value C4 
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Index 
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DEC Maintenance Operation Proto- 
col (MOP) Remote Console, 
Ethertype value C4 


DEC unassigned, experimental, 
Ethertype value C4 


DECnet Phase IV, DNA Routing, 
Ethertype value C4 


Default alarm thresholds, station 9- 
25 


Default option settings 2-3 

Default station alarm thresholds, 
changing 5-11 

Deferring alarms when alarm buffer 
is full 5-14 

Defining report filters 6-23 

Deleting a line in a report script 6-24 

Deleting alarms 3-17, 5-14 

Deleting broadcast address 8-4 

Deleting stations 4-9 

Delimited format option 9-6, 9-29 

Delimited format, report 6-12 

Delimited format, reports 6-13 

Delimited report format 8-6, 9-6 


Descending order, sorting statistics 
in reports 6-22 

Deviations from normal traffic pat- 
terns 7-3 

Display option 9-6 

Display options, numeric vs. graphic 


Display, freezing 3-5 
Displaying 
—a report by pressing F9 6-15, 6- 
24 


—alarm log 5-13, 9-20 

—Alarm Log view 5-14 

—duration of a monitoring session 
3-6 

—frame sizes 9-17 

—global history 9-21 

—global statistics 3-8, 9-7 

—Help menu by pressing F1 2-10 

—history statistics for a station 7-4 

—Manage Station Information 
view 4-6, 9-34 

—options by pressing F6 2-9 

—Report Script Editor view 9-28 

—server's Main Selection Menu 9- 
36 

—sorted statistics for all stations 9- 
15 


—station history statistics 3-20, 3— 
21, 9-22 

—station statistics 3-8, 9-11 

—statistics by pressing F3 2-9, 3-3 

—-statistics for all stations 3-11 

—the station list 2-11, 2-12 


Distribution of bytes by protocol 
types (figure) 3-16 
DIX LOOP option 9-4 


DOD Internet Protocol (IP), Ether- 
type value C-3 


Duration of a monitoring session 3-6 


E 

ECMA Internet, Ethertype value C-3 

Edit option 
—Alarm menu 4-3, 5-12, 9-24 
—Manage station menu 4-3 
—Report menu 9-28 

Editing 
—report scripts 6-18, 6-19, 9-33 
—station information 4-5 

Editing a station name 9-35 


Editing report scripts using function 
keys 9-33 


Editing station information 9-35 


EDLIN, adding protocols to STAR- 
TUP.ENT 3-16 


Effects of clearing alarms 5-14 


Elapsed activity 
—filter for reports 9-31 
—sorting station statistics by 3-12 


Embedded commas in report fields 
6-13 


ENALARMS directory 5-17, 8-3 


End key for viewing the last screen 
of statistical view 3-6 


ENHIST directory 7-3, 8-3, 9-6 


ENREPORT directory 6-3, 6-17, 6- 
18, 8-3, 8-7 


ENSNIFF directory 2-11, 4-3, 8-3 
Entering text in a report script 6-21 


Entering the @ symbol in a report 
script 6-21 


Erasing contents of report editor 9- 
31 


Erasing history statistics 3-18 
Erasing station history statistics 3-20 


Error counts in numeric Global Sta- 
tistics view 3-6 


Error counts, numeric Global Statis- 
tics view 9-9 


Error messages A-3 to A-7 
Errors alarm 
—global 9-25 
—station 9-25 
Errors alarm threshold 5-6 
—station 9-35 


Errors report script 64, 9-27 


ERRORS report, determining station 
errors threshold 5-9 


Errors, filter for reports 9-30 
ERRORS.SCR 6+4, 9-27 


Esc, returning to previous screen 2- 
10 


Ethernet V2 Loopback frame 9-4 


EtherTalk (AppleTalk over Ether- 
net), Ethertype value C-6 


Ethertype protocol option 9-6 
Ethertype report 9-27 
Ethertype report script 6-5 


Ethertype value 
—NetWare 3-16 


Ethertype values C-3 to C-7 
—in STARTUP.ENT 8-5 


Ethertypes, displaying 3-15 
ETYPES.SCR 9-27 


Evans & Sutherland, Ethertype val- 
ue C-5 


Exceeding the alarm buffer’s capaci- 
ty, consequence of 5-14 


Excelan, Ethertype value C-4 
Exit option 2-16, 9-36 
Exit to DOS 4-10 


Exiting the monitor user interface 9- 
36 


ExperData, Ethertype value C-5 
Exporting report files 6-13 


F 
F1, displaying Help menu 2-9, 2-10 
F10 
—starting or stopping a monitor- 
ing session 2-9, 2-12 
—stopping a monitoring session 2— 
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F2, applying default station thresh- 
olds 5-12 
F3 
—acknowledging alarms 3-17 
—displaying statistics 2-9, 3-3 
F4, clearing alarms 3-17, 5-16 
F5, returning to Main Menu 2-9 
F6 
—displaying options 2-9 
—resetting station alarm thresh- 
olds 4-9 
F7 
—changing global or station alarm 
thresholds 4-9 
—displaying available characters 
in report scripts 6-24 
—scaling up the axis in a graphic 
display 3-4 
F8, scaling down the axis in a graph- 
ic display 3-4 
F9 
—displaying a report 6-15, 6-24 
—freezing screen display 3-5 
—redisplaying after freezing the 
screen 3-5 
File option, Alarm\Log to menu 5— 
17, 8-5 
File transfer between server and con- 
sole 2-15, 2-16 
Filenames 
—report scripts 6-26 
—reports 6-18 


—reports generated automatically 
6-17 


—reports generated manually or 
automatically 8-6 


—reports saved to disk 6-18 
Filters 

—examples 6-26 

—for defining a report script 9-29 

—specifying using the AND opera- 

tor 6-25 

First activity 

—filter for reports 9-31 

—sorting station statistics by 3-12 


First network activity 3-6 

Format of statistical display 3-3 
Fragments in Frame Sizes view 9-18 
Frame size report script 6-6, 9-27 
Frame sizes option 3-15, 7-7, 9-6 


Frame Sizes view 9-17 
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Frame Sizes view (figure) 9-18 
Frame sizes, displaying 9-7 
Frames 
—802.2 test 9-3 
—broadcast 5-6 
—displaying the sizes of 3-15 
—Ethernet V2 Loopback 9-4 
—filter for reports 9-30 
—missed 9-9 
—oversized 5-13 
—report script for size distribution 


—runt 9-9 
—shorter than minimum frame 
size 9-9 
—size distribution 7-7 
—sizes 3-15, 7-4 
—unsaved 9-9 
—with alignment errors 9-9 
—with CRC errors 9-9 
—with errors 5-6 
—XNS Echo 9-3 
Frames with errors 
—causing Errors alarm 5-6 
—sorting station history statistics 
by 7-4 
FRAMSIZE.SCR 6-6, 7-7, 9-27 
Freezing a screen display by press- 
ing F9 3-5 
Function keys 2-9, 3-6 
—for editing report scripts 9-28, 9- 
33 


—for editing station information 
9-36 


G 


General Dynamics, Ethertype value 
C-5 
Generating reports 6-14 


Global alarm thresholds 5-5, 5-6, 9- 
25 


Global alarms 
—broadcast 5-14 
—errors 5-14 
—idle 5-15 
—priority level 5-4, 5-6 
—unknown station 5-15 
—usage 5-14 
Global broadcast alarm 9-25 
Global errors alarm 9-25 
Global history option 3-19, 7-3, 9-7 


Global History Statistics view 7-3 
—graphic 3-19 
—graphic (figure) 9-22 
—numeric 3-18 
—numeric (figure) 9-21 


Global history statistics, displaying 
3-18, 3-19 


Global idle alarm 9-25 
Global statistics option 9-6 
Global Statistics view 3-6 
—displaying 3-8 
—graphic 9-10 
—graphic (figure) 9-10 
—numeric 9-7 to 9-9 
—numeric (figure) 9-8 
Global usage alarm 9-25 


Graphic All Stations Statistics view 
9-16 


Graphic Global History Statistics 
view 9-22 


Graphic option 3-8, 9-7, 9-11, 9-15, 
9-21 


Graphic Single Station view 9-13 


H 


Harris, Ethertype value C-6 

Header text in a printed report 6-15 

Help menu, displaying by pressing 
F1 2-9 


Highlighted options in the Main 
Menu 2-5 


Highlighting a menu option 2-5 
Highlighting an alarm 3-17 
History intervals 7-3, 9-4, 9-22 

—aligning 9-5 

—aligning (figure) 9-5 

—changing during a monitoring 

session 3-18, 3-20 

History option 9-4 
History report for a station 7-4 
History report script 6-7, 9-27 
History statistics 

—defining 2-12 

—erasing 3-18 


—for a particular station 7-4 
—global 3-18 


HISTORY.CSV 8-6, 9-6 
HISTORY.LOG 7-3, 8-6, 9-6 
HISTORY.SCR 6-7, 9-27 


Index 


Home key, viewing the first screen 
of statistical view 3-6 


HP Probe protocol, Ethertype value 
C4 


IBM SNA Services over Ethernet, 
Ethertype C-6 


Identifying stations 44 


Idle alarm 
—global 9-25 
—station 9-26 


Idle alarm threshold 
—global 5-6 
—station 5-7 


Idle network 5-6 
Idle threshold, station alarm 9-35 
IEEE 802.2 option 9-3 


IEEE 802.3 Length Field, Ethertype 
value C-3 


IEEE 802.3-compatible network 1-4 
Illegal source address 5-13 
Inserting a report field 6-19 


Integrated Solutions Transparent 
Remote File System (TRFS), 
Ethertype value C-6 


Interacting with the monitor 2-4 
Intergraph, Ethertype value C-6 


Interrupting the automatic naming 
process 4-5 


Intervals 
—history 9-22 
—to which global thresholds apply 
5-5 


Intrvl option 9-5 
IPX protocol 9-4 


K 


Keys for scrolling displays 3-6 
Kinetics, Ethertype value C-6 
KTI, Ethertype value C-7 


L 


Landmark Graphics, Ethertype val- 
ue C-6 


Last activity 
—filter for reports 9-31 
—sorting station statistics by 3-12 


Last network activity 3-6 


Length of a monitoring session 3-6 

Length of a station name 4-7 

Limitations of background monitor- 
ing 2-15 

Limiting stations in a report 6-23 

List of report fields 6-19 

List of report scripts 4-6 

Listeners report script 6-8, 9-27 

LISTENRS.SCR 6-8, 9-27 

eo Machines, Ethertype value C— 


Load option 6-14, 9-27 

Loading a report script 4-6, 6-14 

Loading the monitor application 
program 2-4 

Loading the monitor driver into 
memory 2-4, 2-16 

Log to disk option 9-6 


Log to option, used with Auto clear 
5-15 


Logging alarms to disk 5-16, 5-17, 
9-26 


Logging history statistics to disk 9-6 

Loopback (Configuration Test Pro- 
tocol), Ethertype value C-7 

Losing unnamed addresses 2-14 

LPT1 5-16, 6-15, 6-16 

LPT2 5-16, 6-15, 6-16 

LRT, Ethertype value C4 


M 


Main Menu 
—carriage return symbol 2-6 
—highlighted options 2-5 
—monitor 2-3 
—monitor (figure) 2-4 
—panels 2-5 
—-pressing Enter 2-6 


Main Selection Menu of Sniffer serv- 
er 2-17 


Main Selection Menu, Sniffer server 
9-36 
Manage Station Information view 9- 
34 
—alarm threshold information 4-6 
—displaying 4-3, 4-6 
—modifying STARTUP.ENA 84 
—modifying STARTUP.END 84 
—order of stations 4-7 


—unnamed addresses in 4-5 
—usage of function keys 9-36 
Manage Station Information view 
(figure) 44, 9-35 
Manage Stations Information view, 
modifying STARTUP.END 8-4 
Manage stations option 4-5, 4-6, 4-9 
Manually naming stations 4-5 
Manufacturer's code in station ad- 
dresses 8-4 
Matra, Ethertype value C-6 


Maximum number of entries in 
STARTUP.ENI 8-5 


Maximum number of entries in 
STARTUP.ENT 3-16 


Maximum number of Ethertype en- 
tries in STARTUP.ENT 8-5 


Maximum number of Ethertype la- 
bels in STARTUP.ENT 8-5 


MENU command 4-10 
Menu items 9-3 
Menu options 
—for specifying values 2-6 
—highlighting 2-5 
Menu structure 
—choosing options 2-6 
—monitor 2-5 
—moving through 2-5 
Menus of the monitor 2-4 
Merit Internodal (or Univ of Michi- 
gan), Ethertype value C-6 
Minimum configuration for the 
monitor 2-3 
Minimum frame size 9-9 
Missed frames 9-9 
Modifying station data files in Man- 
age Station Information view 4-3 
Modifying values in menus 2-6 
Monitor 
—alarm buffer 8-5 
—application program 2-4 
—assigning default alarm settings 
to stations 4-3 
—backup copies of data files 4-3 
—capabilities of 1-3 
—data rate 9-9 
—default option settings 2-3 
—driver 24 
—interacting with 2-4 
—Main Menu 2-3 
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—Main Menu (figure) 2-4 
—menu items 9-3 

—menu structure 2-5 
—minimum configuration 2-3 
—on-line help 2-10 
—-processing alarms (figure) 5-3 
—starting 2-4 

—system requirements 1-4 


—unloading driver from memory 
2-14 


—use of function keys 2-9 
—user interface 2-4 
Monitor Card, attaching 7-5 
Monitor driver 
—loading into memory 2-4, 2-16 


—unloading from memory 2-14, 
2-17,44 


Monitor filters option 2-11, 2-13, 9-4 
Monitor menus 2-4 
Monitor Services Menu 2-16 
Monitoring a single station 5-7 
Monitoring session 
—average network usage 9-8 
—background 2-15 
—duration 3-6 
—number of stations 9-8 
—starting 2-11, 2-12 
—stopping 2-15 
Monitoring, restricting 2-11 
Moving through menus 2-5 
Moving within Help menu 2-10 


Moving within the Manage Station 
Information view 4 


Multiple Ethertype values in STAR- 
TUP.ENT 8-5 


Multiple files, printing reports auto- 
matically 6-16 


Mutually exclusive options 2-6 


N 

Name for the broadcast address 8-4 
Name, filter for reports 9-30 
Named addresses 4-3 

Naming stations 


—automatically 4-5, 9-34 


—in Manage Station Information 
view 4-6 


—manually 4-5 
—reasons for 2-14, 44 


Naming stations automatically, in- 
terrupting 4-5 


NBSInternet, Ethertype value C-3 


NetBIOS 
—name in report scripts 6-20 


—remote status request command 
9-4, 9-34 


NetBIOS option 9-4 

NetBIOS station test 7-6 
NetBIOS test frame 9-3 
NetWare option 9-4 

NetWare protocol 14 
NetWare, Ethertype value 3-16 


Network Adapter Status screen 7-6, 
9-3 
Network cable, testing 7-5 


Network capacity, measuring net- 
work usage 3-5 


Network hardware, testing 7-5 


Network programs’ effects on frame 
size distributions 7-7 


Network traffic 


—for measuring network usage 3- 
5 


—network programs’ effects on 7— 
7 


Network traffic patterns 


—during different times of year 7- 
3 


—typical 7-3 
Network type 14 


Network usage 3-3, 3-4, 5-6 
—current 9-8 
—definition of 3-5 
—sorting station statistics by 3-12 


Network usage in Station History 
views 3-20 


Network usage option 3-5, 3-21, 9-7 


Network's data buffers, configuring 
3-15 


Network’s normal traffic patterns 7— 
3 


Nixdorf Computers, Ethertype val- 
ue C-6 


No response alarm 9-26 


No response alarm threshold 5-6, 9- 
35 


Normal file format, definition 6-13 


Normal traffic patterns, getting fa- 
miliar with 7-3 


Novell (old) NetWare IPX (ECON- 
FIG E option), Ethertype value C— 
7 


Novell, Ethertype value C-7 

Number of bytes, sorting station sta- 
tistics by 3-12 

Number of frames with errors, sort- 
ing station statistics by 3-12 


Number of frames, sorting station 
statistics by 3-12 


Number of history intervals 9-4 


Number of lines in a printed report 
6-15 


Number of stations displayed in a 
graphic All Stations Statistics 
view 9-17 

Numeric Global History Statistics 
view (figure) 3-18 

Numeric Global Statistics view (fig- 
ure) 3-7 

Numeric option 3-8, 9-7, 9-11, 9-15, 
9-21 

Numeric Single Station view 3-8 


Numeric view 
—all stations statistics 9-16 


—Global History Statistics 3-18, 9- 
21 


—Global Statistics 3-6 
—single station 3-8, 9-11 to 9-13 
—Station History Statistics 9-23 


e) 
On-line help 2-10 
Options 
—Alarm 4-9, 5-16 
—Alarm log 3-17, 9-7 
—Align history 9-5 
—All stations 3-6 
—All stations in Display menu 9-6 


—All stations in Monitor filters 
menu 2-11 


—All stations option in Monitor fil- 
ters menu 9-4 


—Auto clear 5-15, 5-16, 9-25 
—Auto print in Report menu 9-32 
—Cable tester 7-5, 9-3 

—Class 3+4, 3-9, 3-21 

—Clear alarm file 5-17, 9-27 
—Clear in Report menu 9-31 
—default settings 2-3 
—Delimited format 9-6, 9-29 
—Display 9-6 
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Network 
General 


Index 


ss eee 


—DIX LOOP 9-4 


—Edit in Alarm menu 4-3, 5-12, 9- 
24 


—Edit in Manage station menu 4-3 

—Edit in Report menu 9-28 

—Ethertype protocol 9-6 

—Exit 2-16, 9-36 

—File in Alarm\Log to menu 5-17, 
8-5 


—Frame sizes 3-15, 7-7, 9-6 
—Global history 3-19, 7-3, 9-7 
—Global statistics 9-6 
—Graphic 3-8, 9-7, 9-11, 9-15, 9- 
21 
—History 9-4 
—IEEE 802.2 9-3 
—Intrv] 9-5 
—list of 2-6 
—Load 6-14, 9-27 
—Log to 5-15 
—Log to disk 9-6 
—Manage stations 4-5, 4-6, 4-9 
—Monitor filters 2-11, 2-13, 9-4 
—NetBIOS 9-4 
—NetWare 9-4 
—Network usage 3-5, 3-21, 9-7 
—Numeric 3-8, 9-7, 9-11, 9-15, 9- 
21 
—Page size in Alarm\Log to\- 
Printer menu 5-17 
—Page size in Report \Print menu 
6-15 
—Print in Report menu 6-15, 9-31 
—Print to device in Report\ Auto 
print menu 6-16 
—Printer in Alarm\Log to menu 
5-16 
—Probe for names 4-5, 8-4 
—Report 4-6 
—Reset thresholds 5-13 
—Save in Report menu 9-31 
—Single station 3-10, 9-6 
—Sort by in Display \ All stations 
menu 9-15 
—Start time in Report\ Auto print 
menu 6-16 
—Station history 3-21, 7-4, 9-7 
—Station test 7-6 
—Stn 
in Display \Monitor filters menu 
2-11 
in Display \Single station menu 
3-10 
in Monitor filters menu 44 


—Stn in Display \Single station 
menu 9-11 


—Stn in History menu 2-12, 9-4 


—Stn in Monitor filters menu 2-13, 
9-4 


—Thresholds 9-25 

—To in Station test menu 9-3 
—traffic 9-7 

—Unknown station 5-8 
—XNS Echo 9-3 


OR operator, using with report fil- 
ters 6-23, 9-29 


Order of alarms 5-13 


Order of station names in Manage 
Station Information view 4—7 


Oversized frames 5-13 


P 


Pacer Software, Ethertype value C-6 
Page breaks in a printed report 6-15 
Page breaks in printed alarm logs 5- 
17 
Page size of printed alarm logs 5-17 
Page size option 
—Alarm \Log to\Printer menu 5- 
17 


—Report\Print menu 6-15 
Panels in the Main Menu 2-5 
Partner’s name 

—definition 3-12 

—filter for reports 9-30 


PCS Basic Block Protocol, Ethertype 
value C-4 


Planning Research Co., Ethertype 
value C-5 


Previewing a report 6-14, 9-34 
Print option, Report menu 6-15, 9- 
31 


Print to device option, Report \ Auto 
print menu 6-16 


Printer option in Alarm\Log to 
menu 5-16 

Printer ports 5-16 

Printing 
—alarms 5-16, 9-25, 9-26 
—alarms automatically 5-16 
—reports at the console 6-15 
—reports automatically 6-16 
—reports manually 6-15 
—the report header 6-15 


—the station list 46 

—the USERLIST report 4-6 
Priority levels 

—global alarms 54, 5-6 

—meaning of 9-26 

—station alarms 5~9, 9-35 
Probe for names option 4-5, 8-4 
Proteon, Ethertype value C4 
Protocol Types (Ethertypes) view 

(figure) 9-19 

Protocol types, displaying 3-15 
Protocols 

—IPX 9-4 

—NetWare 1-4 


Protocol-specific station tests 7-6 


R 


Recommendations 
—acknowledging alarms 5-14 
—avoiding statistics overflow 9- 

10, 9-14 
—changing a filter value 6-24 


—changing alarm thresholds 4-9, 
5-7 


—including server names in report 
scripts 6-20 


—monitoring all stations 2-11 
—naming stations 2-14 
—report editing 6-25 
—saving alarms 5-17 
—setting alarm thresholds 5-7 to 
5-10 
—setting history intervals 7-3 
—setting the Class option 7-4 
—using the Auto clear option 5-15 
Recording a station’s history statis- 
tics 7-4 
Redirecting printing to the console 
6-15 
Redisplaying after freezing the 
screen by pressing F9 3-5 
Relative network usage 3-4, 3-5 
Relative usage 
—filter for reports 9-31 


Remote status request command, 
NetBIOS 9-4, 9-34 


Removing the monitor driver from 
memory 2-14, 2-16, 2-17, 44 


Repeating a special character in a re- 
port script 6-24 


Report fields B-3 to B-13 
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—list of 6-19 
—options 6-20 
—spacing 6-20 
Report formats 
—delimited 6-13, 8-6, 9-6 
—normal file format 6-13 
Report header 6-15 
Report option 4-6 
Report Script Editor view 6-15, 6-18, 
6-19, 9-27, 9-28, 9-33 
Report scripts 
—adding or deleting lines in 6-18 


—comma-separated-values (CSV) 
format 6-12 


—creating 6-19 

—cursor position 6-21 
—definition 6-3 

—editing 6-18, 6-19 
—editing text in 6-25 
—ERRORS.SCR 6-4, 9-27 
—ETYPES.SCR 6-5, 9-27 
—FRAMSIZE.SCR 6-6, 9-27 
—HISTORY.SCR 6-7, 9-27 
—LISTENRS.SCR 9-27 
—loading 6-14, 9-27 
—samples of 6-3, 6-14 
—saving 6-26, 9-31 
—special characters 6-24 
—TALKERS.SCR 6-9, 9-27 
—types of 9-27 

—typing text in 6-21 
—USERLIST.SCR 6-10, 9-28 
—USERS.SCR 6-11, 9-28 
—USERSCSV.SCR 6-12, 9-28 


Report settings 6-23 
Report title 6-15 
Reports 


—adding or deleting lines 6-24, 9- 
33 


—delimited format 9-6 

—filenames 6-18 

—filters 6-23, 9-29 

—generating 6-14 

—importing into other applica- 
tions 6-13 

—page size 6-15 

—previewing 6-14, 9-34 

—-printing automatically 6-16 

—printing manually 6-15 

—saving to disk 2-17, 6-18, 9-33 

—sorting stations 6-18, 6-22, 9-28 


—using and repeating special char- 
acters 9-33 
—using filters in 6-18 


Reports generated automatically, 
filenames 6-17 


Requirements for the monitor 14 
Reset thresholds option 5-13 


Resetting alarm thresholds by press- 
ing Fo 4-9 


Resetting default station alarm 
thresholds 9-34 


Resetting station alarm thresholds 
5-12 


Restarting monitor after printing re- 
ports 6-17 


Retix, Ethertype value C-6 


Returning to Main Menu by press- 
ing F5 2-9 

Returning to previous screen by 
pressing Esc 2-10 


Reverse Address Resolution Proto- 
col (RARP), Ethertype value C-5 


Rosemount, Ethertype value C-6 
Runt frames 9-9 


Ss 


Sample entries 
—STARTUP.ENA 8-4 
—STARTUP.ENI 8-4 


Sample Network Adapter Status 
screen (figure) 7-6 


Sample report scripts 6-3, 6-14 
Save option, Report menu 9-31 
Saving 
—alarms to disk 5-17, 9-25, 9-26 
—report scripts 6-26, 9-31 
—reports to disk 6-18, 9-33 
Saving history statistics to disk 9-6 


Saving statistics by printing out re- 
ports 2-17 


Scaling down the axis in a graphic 
display by pressing F8 3-4 

Scaling up the axis in a graphic dis- 
play by pressing F7 3-4 


Screen display, scrolling 3-6 


SCRIPTS directory 6-3, 8-3, 8-7, 9- 
27 


Scrolling Help menu 2-10 
Scrolling the screen display 3-6 


Scrolling the screen in statistical 
views 3-12 


Selecting a station in Manage Station 
Information view 4-6 


Sending alarms to the console 5-5 
Server name in a report script 6-20 


Server Status display on the console 
5—4, 5-14 


Setting alarm priority levels 5-10 


Setting station alarm thresholds for 
devices handling heavy traffic 5- 
9 


Siemens Gammasonics, Ethertype 
value C-6 


Silicon Graphics diagnostic, Ether- 
type value C4 


Silicon Graphics network games, 
Ethertype value C-4 


Silicon Graphics reserved, Ethertype 
value C-4 


Silicon Graphics XNS NameServer, 
bounce server 


—Ethertype value C4 


Single file, printing reports automat- 
ically 6-16 


Single station option 3-10, 9-6 
Single Station Statistics view 
—numeric (figure) 9-11 


Single Station Statistics view, graph- 
ic (figure) 9-13 
Single Station view 3-8 
—displaying 3-8 
—graphic 3-9, 9-13 
—numeric 9-11 
Sizes of frames 7-4 


Sniffer server 
—RMain Selection Menu 9-36 
—powering off 2-6 
—with analyzer 2-4 


Sort by option, Display \ All stations 
menu 9-15 


Sort keys for reports 6-22 
Sort keys for station statistics 3-11 
Sort position, filter for reports 9-30 


Sorted station names in Manage Sta- 
tion Information view 4~7 


Sorted station statistics 3-11 


Sorting station history statistics by 
errors 7-4 


Sorting statistics for all stations 9-15 
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Sorting statistics in FRAMSIZE re- 
port by average frame size 7-7 
Source address 
—corrupted 5-13 
—illegal 5-13 
Spacebar, for choosing values 2-6, 2— 
8 
Spacing between report fields 6-20 
Special characters in a report script 
6-24 
Specifying a station for history sta- 
tistics collection 2-12 
Specifying an Ethertype value in 
STARTUP.ENT 8-5 
Specifying interval for printing re- 
ports automatically 6-16 
Specifying start time for printing re- 
ports automatically 6-16 
Specifying the history interval 9-5 
Specifying types of statistics in All 
Stations view 3-12 
Specifying values in menus 2-6 
Spider Systems, Ethertype value C-6 
Spreadsheet programs used with re- 
ports 6-13 
Spreadsheet-compatible report for- 
mat 8-6, 9-6 
Stanford V Kernel, version 6.0, 
Ethertype value C-5 
Start time option, Report \ Auto print 
menu 6-16 
Starting a monitoring session 2-11 
Starting or stopping a monitoring 
session by pressing F10 2-9, 2-12 
Starting the analyzer 2-16 
Starting the monitor 2-4 
STARTUP.ENA 8-3 
—contents 4-3, 8-3 
—contents of 5-11 
—deleting stations from 4~9 
—sample entry 84 
—saving changes to 4-10 
STARTUP.ENB 9-36 
STARTUP.END 84 
—broadcast address in 8-4 
—contents 2-13, 8-4 
—contents of 4-3 
—editing using EDLIN 4-3 
—saving changes to 4-9, 4-10 
—setting up 6-10 


—used by analyzer 2-11, 4-3 
STARTUP.ENI 
—contents 8-4 
—maximum number of entries 8-5 
STARTUP.ENT 3-16, 8-5, 9-18 
Station address 44, 8-3, 84 
Station addresses 
—adding to station list 2-11 
—in STARTUP.END 8-4 
—viewing on screen 4-6 
Station alarm settings, default 4-3 
Station alarm thresholds 5-6, 5-7 
—changing 4-8 
—changing defaults for 5-11 
—for new stations 54 
—recommendations for setting 5-9 
—resetting 5-12 
—types 5-6 
Station alarms 
—errors 5-15 
—idle 5-15 
—no response 5-15 
—-priority levels 5-9, 9-35 
—setting priority levels 5-10 
—usage 5-15 
Station data files 
—backup copies 4-3 
—backup copies of 4-10 
—deleting stations from 4-9 
—resetting alarm thresholds 9-34 
—used by analyzer and monitor 2- 
13, 4-3 
Station default thresholds 9-25 
Station errors alarm 9-25 
Station errors threshold 9-35 
Station history option 3-21, 7-4, 9-7 
Station history report, generating 7— 


Station history statistics 3-21 
—displaying 3-20, 3-21 
—erasing 3-20 

Station History Statistics view 
—graphic (figure) 9-24 
—numeric (figure) 9-23 

Station idle alarm 9-26 

Station idle alarm threshold 9-35 


Station information, editing 4-5, 9- 
35 


Station list 4-4 


—adding or deleting an address 2— 
13 


—address not appearing 2-13 


—choosing a station for history sta- 
tistics collection 9-4 


—displaying 2-11, 2-12 
—loading and unloading (figure) 
2-14 
Station name, editing 9-35 
Station names 
—in STARTUP.END 84 
—length of 4-7 
—sorting statistics by 3-11 
Station test option 7-6 
Station tests, protocol-specific 7-6, 
9-3 
Station usage alarm 9-26 
Station usage alarm threshold 9-35 


Stations 
—active 3-12 
—deleting 4-9 
—editing information 4-5 
—identifying 44 
—naming 2-14 
—naming automatically 4-5 
—naming manually 4-5 
—testing protocols 7-6, 9-3 
—unnamed 44 

Statistical view 


—after a monitoring session 
stopped 2-15 


—clock in upper-right corner 3-5 
—customizing 3-3 
—definition 9-6 
—displaying previous or next sta- 
tion 3-6 
—Single Station 3-8 
Statistical view for all stations, nu- 
meric vs. graphic 3-13 
Statistics 
—class 3-4 
—display options 3-3 
—global 3-6 
—global history 3-18 
—numeric and graphic displays 3- 
4 
—sort keys 3-11 
Statistics for all stations, sorted 3-14 
Statistics for transmitted or received 
frames, displaying 3-4 
Statistics overflow 9-10, 9-14 


Index—11 


Distributed Sniffer System: Ethernet Monitor Operations Manual 


Stn option 2-12 
—Display \Single station menu 3- 
10, 9-11 
—History menu 9-4 
—Monitor filters menu 2-11, 2-13, 
44,9-4 


Stopping a background monitoring 
session 2-16 


Stopping a monitoring session 2-15, 
4-9 


Stopping monitor's user interface 9- 
36 


Stopping screen updates 3-5 
Strings in CSV reports 6-14 


Symbolics Private, Ethertype value 
C-3, C-6, C-7 


T 
Talkers report script 6-9, 9-27 
TALKERS.SCR 6-9, 9-27 


Taylor Instrument, Ethertype value 
C-6 


Terminating automatic report gener- 
ation 6-17 


Terminating the monitor user inter- 
face 9-36 


Test frames for station tests 9-3 
Testing the network cable 7-5 


Tests for establishing network's 
baseline 7-3 


Thresholds option 9-25 
Tigan, Ethertype value C-5 


Time displayed in graphic Global 
Statistics view 9-10 


Timestamps in a numeric Global Sta- 
tistics view 3-6 


Timestamps, numeric Global Statis- 
tics view 9-9 


Title of a report 6-15 
To option, Station test menu 9-3 
Toggling values for a menu option 


Total network capacity, measuring 
network usage 3-5 


Total network traffic, measuring net- 
work usage 3-5 


Total number of history intervals 9-4 


Total number of stations in a moni- 
toring session 9-8 


Traffic counts, numeric Global Sta- 
tistics view 3-6, 9-8 


Transferring files between server 
and console 2-15, 2-16 


Transferring HISTORY.LOG from 
server to console 7-3 


Tymshare, Ethertype value C-4 
Types of alarm thresholds 5-4 
Types of global alarm thresholds 5-6 
Types of stations to monitor 2-11 


Types of statistics 

—AIll Stations Statistics view (nu- 
meric) 9-16 

—class of traffic 3-4 

—for displaying numerically or 
graphically 3-4 

—included in All Stations view 3- 
12 


—network usage 3-4 
Types of statistics for display 3-3 
Typical network traffic patterns 7-3 
Typing MENU at DOS prompt 4-10 


U 


Ungermann-Bass diagnostic/loop- 
back, Ethertype value C4 


Ungermann-Bass download, Ether- 
type value C4 


Ungermann-Bass network debug- 
ger, Ethertype value C-3 


University of Massachusetts, Am- 
herst 


—Ethertype value C-5 


University of Massachusetts, Am- 
herst, Ethertype value C-5 


Unknown station alarm threshold 5— 
6 


Unknown station alarms 4-9, 9-25 
Unknown station option 5-8 


Unloading the monitor driver from 
memory 2-14, 44 


Unnamed addresses, losing 2-14 
Unnamed stations 44 
Unsaved frames 9-9 


Usage alarm 
—global 9-25 
—station 9-26 


Usage alarm threshold 5-6, 5-7 
Usage alarm threshold, station 9-35 


User interface 


—analyzer 2-4 
—exiting 9-36 
—monitor 2-4, 2-5 

User list report script 6-10 


USERLIST report 4-5 
—contents of 4-6 
—generating 46 


—generating before naming sta- 
tions 4-5 


Userlist report script 9-28 
USERLIST.SCR 4-6, 6-10, 9-28 


Users report script 
—CSV format 6-12, 9-28 
—normal file format 6-11, 9-28 


USERS.SCR 6-11, 9-28 
USERSCSV.SCR 6-12, 9-28 


V 


VALID system protocol, Ethertype 
value C-4 


Varian, Ethertype value C-6 


Veeco Integrated Automation, 
Ethertype value C-5 


Vendor addresses 84 


VG Laboratory Systems, Ethertype 
value C-7 


View, definition 9-6 
Viewing ALARM.LOG 5-17 
Viewing previous or next station 3-6 


Viewing station addresses on screen 
46 


Viewing station history statistics for 
a previous or next interval 3-21 


Vitalink TransLAN III Management, 
Ethertype value C-6 


Vitalink, Ethertype value C-6 


VMTP (Versatile Message Transac- 
tion Protocol, RFC- 1045) (Stan- 
ford) 


—Ethertype value C-5 


W 


Warning messages A-7 to A-9 


Waterloo Microsystems, Ethertype 
value C-7 


Wellfleet, Ethertype value C-6 


X 
X.25 Level 3, Ethertype value C-3 
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X.75 Internet, Ethertype value C-3 


Xerox IEEE 802.3 PUP Address 
Translation, Ethertype value C-3 

Xerox IEEE 802.3 PUP, Ethertype 
value C-3 

Xerox NS IDP, Ethertype value C-3 

Xerox PUP (conflicts with IEEE 802.3 


Length Field, Ethertype value 
range) C-3 


Xerox PUP Address Translation, 
Ethertype value C-3 


XNS Compatibility, Ethertype value 
C-3 


XNS Echo option 9-3 
Xyplex, Ethertype value C-3 
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